My problem with this position is that it seems to argue for
proprietary one-off solutions vs. Internet standards for email
authentication policy assertions.
That's certainly a reasonable concern. I expect that if it turns out
there are more discardable domains than Paypal, people would use
shared drop lists, just like they use shared blacklists and whitelists
of IP addresses and domains now.
Last year Paul Hoffman, Arvel Hathcock and I published RFC 5518 on
Vouch by Reference, which we intended as a way to publish whitelists
of responsible domains, originally DKIM signing domains but also
usable for domains that pass SPF -all. It would only take a small
tweak to VbR to use it to publish shared drop lists.
VbR is deliberately really simple; it's a single DNS lookup, prepend the
name you're looking up to _vouch and the VbR service's name. The result
is a txt record saying what kind of mail it's vouching for, with the
list currently being all, list, or transaction.
We could add "discardable" as a VbR field, and do lookups like this,
for a list called drop.services.net.
$ dig info.paypal.ca._vouch.drop.services.net txt
; <<>> DiG 9.6.1-P1 <<>> info.paypal.ca._vouch.drop.services.net txt
;; QUESTION SECTION:
;info.paypal.ca._vouch.drop.services.net. IN TXT
;; ANSWER SECTION:
info.paypal.ca._vouch.drop.services.net. 7200 IN TXT "transaction discardable"
(This really works, by the way. Try it!)
There'd be some other minor tweaks to VbR to bypass an optimization in
VbR that puts hints in the mail about where to look, obviously not
useful if you're looking up mail that you suspect is a phish.
At this point my published drop list contains paypal domains, who
publish ADSP, and ebay and amazon who don't publish ADSP, but who send
transaction mail all of which is as far as I can tell signed. Looking
at the rest of the signatures in my archive, I don't see anyone other
reasonable candidates yet.
NOTE WELL: This list operates according to