On Mon, 12 Oct 2009, Wietse Venema wrote:
Michael Deutschmann:
If this is indeed the official semantics of the protocol, then I would
petition to add a "dkim=except-mlist" policy. Which means "I sign
everything that leaves my bailiwick, but may post to signature-breaking
MLs."
Are you going to announce all your users mailing list subscriptions
in the policy record? If you do, that could be a privacy problem.
If you don't, then the spammer can add any mailing list header to
the message, and they can drive their truck through this hole.
The only other option for a sender domain with any subscribers to
signature-breaking mailing lists, is dkim=unknown. Which is just as big
a hole.
At least with dkim=except-mlist, the recipient can narrow the loophole to
cover only those mailing lists he is actually subscribed to. If those
mailing lists use SPF, the spammer can't get in even if he knows which
ones to forge.
---- Michael Deutschmann <michael(_at_)talamasca(_dot_)ocis(_dot_)net>
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html