Hi John,
At 13:11 07-04-2014, John Levine wrote:
DMARC is what one might call an emerging e-mail security scheme.
There's a draft on it at draft-kucherawy-dmarc-base-04, intended for
the independent stream. It's emerging pretty fast, since many of the
largest mail systems in the world have already implemented it,
including Gmail, Hotmail/MSN/Outlook, Comcast, and Yahoo.
[snip]
Mailing lists are a particular weak spot for DMARC. Lists invarably
use their own bounce address in their own domain, so the SPF doesn't
match. Lists generally modify messages via subject tags, body footers,
attachment stripping, and other useful features that break the DKIM
signature. So on even the most legitimate list mail like, say, the
IETF's, most of the mail fails the DMARC assertions, not due to the
lists doing anything "wrong".
From BCP 167:
"In an idealized world, if an Author knows that the MLM to which a
message is being sent is a non-participating resending MLM, the
Author needs to be cautious when deciding whether or not to send a
signed message to the list."
It will be interesting to see the results when other domains
implement the specification.
Regards,
S. Moonesamy