"Doctor, it hurts when I do this."
"So don't do that."
X = me/PayPal.com
Y = this list/ietf-dkim(_at_)mipassoc(_dot_)org
Z = Google's Gmail service [1]
I understand your point, but I think that it would be a better idea to
put Paypal's transactional mail and mail from its staff into different
domains with different reputations and different handling. If you're
telling recipients to throw away paypal.com mail with missing or
broken signatures, your messaging is going to be vastly more confusing
and harder to follow if you add "oh, except for these special cases
for stuff passed through mailing lists, and be sure only to do the
special cases for real mailing lists." "No, we don't have a list of
every real mailing list in the world. Why do you ask?"
Or to look at it another way, if a piece of mail arrives from some
random mailing list like thing with a paypal.com return address, and a
header that purports to say that the message was signed when it
arrived at the list, how likely is it that it's mail from you vs. mail
from a phish kit trying to fake out verifiers?
R's,
John
PS: Not to pick specifically on Paypal, but you are of course the
poster child for phish targets so egregious that it's worth the risk
of losing a little real mail to get rid of the phish.
PPS: brett(_at_)x(_dot_)com would be a much cooler address
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html