> FWIW, I agree with Arnt on this one. In fact the case has yet to be made that
> DKIM-based whitelisting of list mail is more than a nice-to-have; per-user
> whitelisting on the basis of List-id alone along with the usual checks for
> blatent viruses and whatnot seems to work pretty well.
Currently, I agree with you. But if List-ID always meant to skip the
DMARC rejection checks, how long would it take for every paypal.com phish
to include a List-ID? Presumably competent filters would subsequently
catch it, but it would make DMARC, which is intended to be a cheap
anti-phish technique, totally pointless.
One way or another, the Internet routes around what it perceives to be damage.
There is absolutely no question that DMARC usage by domains that aren't purely
transactional in nature is being seen as damage. So the only question isn't
whether this damage will be contained, it's how.
Now, it's entirely possible that it will be done in a way that leaves DMARC
intact. But it is also possible that it will be done in ways that leave DMARC
in tatters.
And I for one am having a lot of trouble mustering up any sympathy if we end up
with the latter.
Per-user whitelisting on List-ID strikes me has having horrible scaling
issues.
Really? Given that we've seen per-user per-sender blacklists implemented on
massive scale with no scaling issues, I for one fail to see the issue. (This is
not to say that these blacklists worked. They sucked completely and failed
badly, but not because of scaling issues.)
How can we know who's subscribed to what? Or if we plan to know
what List-ID's to believe, we're back at a shared mailing list whitelist.
I don't think so. The obvious model would be to check to see if the list-id
address is in the recipient's address book, and to instruct users to add list
addresses to their address book in order to insure list delivery.
This builds on the very common whitelisting model of checking the from address
against the recipient's address book. Which, BTW, also seems to scale just
fine. And which, incidentally, is one of the things that makes the
AOL and Yahoo address book thefts even more problematic.
And if you don't have address book integration, then a whitelisting rule
that checks the list-id would seem to do the trick.
Of course this has the side effect of weakening, but not breaking DMARC, as
well as making future address book thefts more problematic for mailing lists.
Funny how these things work.
Ned
_______________________________________________
ietf-822 mailing list
ietf-822(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-822