On Apr 21, 2014, at 9:42 AM, Dave Crocker <dhc(_at_)dcrocker(_dot_)net> wrote:
On 4/21/2014 9:36 AM, John Levine wrote:
They could fix it if they
wanted, e.g., by arranging to whitelist mail sources that don't match
DMARC's authentication model but send mail people want. This is not
just mailing lists, of course.
Sorry, but I'm not quite understanding what additional mechanism you have in
mind.
Exactly who does exactly what?
Who has to adopt it?
How will it scale?
Dear Dave,
Each domain can simply point to their desired white-list. This can be one
published directly or simply referenced as described in:
http://tools.ietf.org/html/draft-otis-dkim-tpa-label-06#page-8
This has elements from the moribund ADSP. The sender wishing to protect a
domain while also applying policy like that of ADSP or DMARC can offer
receivers a rapid and scalable method to check third-party domain
authorizations. This means senders are always able to defend recipients who
trust messages from their domain. Please note, authorizations can also require
presence of a List-ID. Other schemes, such as SRS, end up treating
third-parties the same, which never works.
Perhaps being a bit crass, those who have decided to adopt DMARC for their user
accounts have a vested interest in seeing mailing-lists fail. Their revenue is
often based on ads displayed in a user's browser. Forcing use of some social
web site has an advantage of injecting ads while also balkanizing group
efforts. Is the IETF ready to offer their own version of a social website or
start an email version of a three-card monte game of "Where is the From? Must
all other group endeavors demand some social allegiance or can these sites
become federated using something like XMPP and give up on email?
Regards,
Douglas Otis