Per Jessen wrote:
* poo#109025 - dmarc/spf/dkim etc. (I'll add some comments in a separate post).
I've already updated the ticket, but let me elaborate - I don't think there is any real need to implement dmarc/spf/dkim for "opensuse.org". This has to be seen in the light of how we operate - we have hundreds of members who use the opensuse alias from whereever they are. Effectively this means we have to permit anyone to send an email from "@opensuse.org" from anywhere, hence it makes little sense to talk about dmarc/spf/dkim. Lars mentioned that DMARC has been requested for opensuse for a while. I presume this request is coming from SUSE-IT. While I still fail to see what we would gain from it, I am happy to entertain the idea. For DMARC to make any sense: a) we would need a central service to add the DMARC signatures. b) all of our users would need to send their outgoing mails from "opensuse.org" through this service. This is fairly easy to do, it's "just" an SMTP server with user authentication. Here is the not so easy part: With hundreds of user credentials spread around the world in uncontrolled/insecure locations, the risk of one getting compromised or "borrowed" cannot be ignored. It is a spammer's wet dream - access to a mailserver with DMARC authentication. If our outgoing mailserver is seen to be spamming, it won't be long before we can't send anything at all. To mitigate this risk, we will need rate controls and checks on userids being used from multiple locations. A lot less easy, but still it can be done. The question is - is it worth it ? -- Per Jessen, Zürich (10.8°C) Member, openSUSE Heroes