On 4/30/10 6:45 PM, John R. Levine wrote:
I don't think that's what I'm saying. Currently lists don't do much to
authenticate senders. I don't think it's implausible that a recipient might
have stricter rules than a list manager. It might be unusual, I suppose.
I agree it's hypothetically possible, but have you ever seen an actual
need for this in practice, a list where the recipients filter out messages
that a more competently managed list would have rejected?
John,
Efforts at protecting recipients with ADSP "all" or "discard-able"
conflict with the message handling of properly run mailing-lists.
Mailing-list handling does not need to change, even those that remove
DKIM signatures. With minor efforts, a transitional strategy that
introduces sender authorization offers exceptions needed for "all" and
"discard-able" conflicts. The enhanced protection these policies
afford is critical for financial institutions, whether for corporate or
transactions messages. Better source authentication is also
increasingly needed to thwart a growing number of social engineering
ploys, and to properly identify compromised accounts. When
mailing-lists include A-R headers, these can be audited by the sender.
The sender's authorization then enables them to protect their
authentication from otherwise trivial spoofing and to guard against
message loss.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html