On Sat, 22 May 2010, Dave Crocker wrote:
If there is a desire and need to have the semantic be "came from the
mailing list" then there needs to be a mailing list equivalent to ADSP,
which correlates a DKIM signature with the domain in a List-ID header
That's not necessary.
The weakness of the "except-mlist" approach is not the difficulty of
authenticating that a given mail really is from the list it purports to be
from. We have off-the-shelf technology to do that: the list manager just
needs to use a constant MAIL FROM: domain, and protect that domain with
It requires some cooperation from the list owner, but so would "LDSP".
Only if you have irrational Not Invented Here sentiments towards SPF does
LDSP become needed. The SPF approach has the advantage that some lists
are already in compliance, by accident.
Rather, the weakness of "except-mlist" is that it requires that the MX
know which mailing lists each mailbox is legitimately subscribed to.
Without that, the badguys can pretend the victim subscribes to lists they
Now, people keep arguing that "except-mlist" is pointless because no
regular ISP is so well informed about its own users. But vanity domains
like mine *do have the needed intelligence*.
The only further knowledge they need, is which sites are publishing
"unknown" because they don't sign everything yet, and which sites are
publishing "unknown" solely because of the mailing list problem.
---- Michael Deutschmann <michael(_at_)talamasca(_dot_)ocis(_dot_)net>
NOTE WELL: This list operates according to