Open amyxzhang opened 8 years ago
Also look into DKIM: https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
I think it's really important we get this implemented soon for squadbox. otherwise, one could very easily spoof the "from" header with an address they suspect is whitelisted (such as the user's own email address, auto-confirm@amazon.com, etc.) to get around moderation.
(and of course people could also do this to post as someone else on a murmur group)
we've been working on verifying senders whose messages we receive and displaying the results of that to our users. but we still need to convince other clients that murmur itself is trustworthy. basically, we should make Google stop giving people warnings on messages sent by us. even if we put "verified" or add some header to our message, Gmail doesn't understand that.
this section explains the issue really well, and gives various proposed ways for mailing list software to deal with it along with their pros and cons.
So apparently Mailman fixed this by doing 3B, or a variation where the original post is wrapped with another message https://wiki.list.org/DEV/DMARC
And listserv fixed it by using 3C described in above link (http://www.lsoft.com/news/2014/listserv160-2014a-us.asp)
Should think more about what is best solution for us but these are good starting points.
http://www.openspf.org/
We should check email senders and their IP addresses against the SPF record if it exists. Major email providers should have one.
We should also register our IP address and email in the SPF records (so people are less likely to spoof our email addresses).