On 16 April 2014 21:57, John R Levine <johnl(_at_)taugh(_dot_)com> wrote:
This means that mailing lists (and other forwarding cases) are enforced
into having DMARC records in order to forward DMARC originating messages,
which seems reasonable, and the Sender addresses must also be relatively
sensible, which they normally are already.
I may be missing something.
How do I distinguish the nice mailing lists at ietf.org from random evil
spammer domains sending spam with List-ID headers?
Every proposal I've seen like this ends up tripping over the fact that
there is no technical way to distinguish between mail from real mailing
lists and spam that looks like it's from mailing lists. Hence you need a
whitelist for the real mail, at which point all of the mechanism beyond the
key for the whitelist (probably a DKIM signature) is superfluous.
There's no more need for whitelist here than on DMARC mail as things stand,
of course, but it does mean that senders need tracking as well as authors,
and senders need to be explicit and reliable. I'd assume reputation
services (of which whitelists are just an extreme case) would be in play
regardless.
Let's consider the message to which I am replying.
Right now, my MUA treats this as a message "From John R Levine <
johnl(_at_)taugh(_dot_)com>". This means that any policy on the message
origination
comes from looking solely at the taugh.com domain. We'll pretend it has a
DMARC policy. Herein lies the Yahoo/DMARC issue, because unless your policy
essentially stipulates that the IETF is allowed to spoof you, we're stuck.
What I'm suggesting is not that, but that my MUA notes that the poloicy of
taugh.com allows different senders, and switches to considering the sender
domain - in this case, ietf.org. Any p or sp tag in the ietf.org policy is
ignored, however, and treated as p=reject/sp=reject; in addition since
taugh.com has a DMARC policy, it must also have one to forward taugh.comemail.
My spam filtering now has two cases to consider: Firstly, it needs to
decide whether ietf.org is behaving legitimately, and secondly whether I
want to read mail from you.
You can put it another way, too - my proposal is essentially saying that
the From dictates failure policy, reporting, and handling, but the Sender
is used for enforcement.
One additional thing is required from MUAs, though, which is to ensure the
UI clearly shows that the message is not sent by you (directly, at least);
this allows a human reader to easily see it's a mailing list message - or
for that matter easily see it's from an unexpected sender.
Dave.