Launchpad is really completely in the wrong here as far as DMARC compliance for its notification email is concerned.
The same rules apply to Facebook, GitHub, and any other site on the Internet. If the user's domain doesn't list you as an authorized sender, you shouldn't be impersonating them with the "From:" address.
Launchpad isn't somehow special here. Launchpad's email notices are indistinguishable from malicious forgery.
I was also very unpleasantly surprised that in addition to violating my domain's DMARC policy, Launchpad is disclosing my private email address despite my having checked the "Hide my email addresses from other Launchpad users" option.
Launchpad is really completely in the wrong here as far as DMARC compliance for its notification email is concerned.
The same rules apply to Facebook, GitHub, and any other site on the Internet. If the user's domain doesn't list you as an authorized sender, you shouldn't be impersonating them with the "From:" address.
Launchpad isn't somehow special here. Launchpad's email notices are indistinguishable from malicious forgery.
I was also very unpleasantly surprised that in addition to violating my domain's DMARC policy, Launchpad is disclosing my private email address despite my having checked the "Hide my email addresses from other Launchpad users" option.