The issue with @yahoo.com and DMARC is not the @yahoo.com users' ability
to receive mail, it's their ability to send mail to the list with From:
*@yahoo.com and have it be received by list subscribers who implement
strict DMARC policies which honor Yahoo!'s p=reject.
It's not clear how setting the @yahoo.com users to digest mode helps
this situation at all.
It probably does not. Trying analyze the various positions with a cool head,
the obvious conclusion is that hard problems don't have easy answers.
The current mailing list practice has the mailing list as sender, and the
original message composer described in the From field. The receiver sees
something like:
Sender: ietf <ietf-bounces(_at_)ietf(_dot_)org>
From: Christian Huitema <huitema(_at_)microsoft(_dot_)com>
…
Of course, that particular construct could easily be abused. A phishing message
does not differ much from a mailing list message:
Sender: postmaster <postmaster(_at_)phishing-domain(_dot_)com>
From: Christian Huitema <huitema(_at_)microsoft(_dot_)com>
…
I understand that the DMARC "alignment" policy is meant to protect against that
by requesting that sender domain and from field match. The problem is that a
mailing list would then have to invent a new from field, letting the recipient
see something like:
From: Christian Huitema <ietf-christian-huitema(_at_)ietf(_dot_)org>
Reply-To: Christian Huitema <huitema(_at_)microsoft(_dot_)com>
…
The obvious issue is that this particular construct is also quite friendly to
phishing. The phishing message would look like:
From: Christian Huitema <christian-huitema(_at_)phishing-domain(_dot_)com>
Reply-To: Christian Huitema <huitema(_at_)microsoft(_dot_)com>
…
If we teach users to ignore the bizarre email address for the mail list
messages, we are also teaching them to ignore the bizarre email address in the
phishing messages. I doubt that this was the intent of the DMARC authors.
-- Christian Huitema
(I wrote a longer version of this email at http://huitema.wordpress.com/.)