I recently saw invent.kde.org/websites/kde-org/-/blob/dc2aeb752abb083941dd532ee8772a5d9af4490b/static/.well-known/security.txt, which states the undermentioned:
KDE is an open source community, so it is not a vulnerability to see the code for the sourcecode. Not having DMARC is not a vulnerability either. If you’ve just run some automated tooling, found something trivial then reached out with the expectation of cashing in, you’re going to be disappointed.
That’s quite funny, but a little worrisome, so I did some searching and located the origin of that disclaimer – mail.kde.org/pipermail/kde-www/2021-March/007890.html, which states:
In this instance, we are well aware of the lack of a DMARC record. At this time it is an intentional omission on our part, due to various processes and workflows we have which are incompatible with DMARC.
That’s fairly understandable, and was especially so in 2021. However, since then, the sole places I’ve ever seen DMARC failures have been the MoD, which isn’t a role model anyone should follow.
…Though, this lack of notices includes mail from KDE – my e-mail middleman informs me of DMARC (plus SPIF, etcetera) failures, and I’ve never seen one for KDE. Consequently, has this been remediated?
I ask because I’d rather like to be able to trust that a message sent from the domain is in some capacity authorised by the organisation (rather than merely being a string in a header).