I did a search before asking this question; I did not find any answer. Does
anyone know whether the IETF adheres to BCP 167?
I've never been a big fan of RFC 6377, but this bit seems relevant since
strict ADSP policies had pretty much the same problems as strict DMARC
policies.
For domains that do publish strict ADSP policies, the originating
site SHOULD use a separate message stream (see Section 2.5), such as
a signing and Author subdomain, for the "personal" mail -- a
subdomain that is different from domain(s) used for other mail
streams. This allows each to develop an independent reputation, and
more stringent policies (including ADSP) can be applied to the mail
stream(s) that do not go through mailing lists or perhaps do not get
signed at all.
As far as I know, the "participating MLM" thing has never been
implemented, which makes the C in BCP rather suspect. My own MLM signs
the outgoing mail and adds an Authentication-Results: header, but largely
by default because it's embedded in a mail system that does those things.
Just today I did modify it so that any list mail with a From: address
@yahoo.com is re written to @yahoo.com.INVALID. That's the least
intrusive way I've been able to come up with to mitigate the damage.
It's also similar to what RFC 6858 suggests for delivering EAI mail to
systems that can't handle EAI, which is a vaguely similar problem.
Regards,
John Levine, johnl(_at_)taugh(_dot_)com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.
smime.p7s
Description: S/MIME Cryptographic Signature