On 4/30/2014 10:03 AM, Andrew G. Malis wrote:
Phillip,
Of course the way to make mailing lists work with DMARC would be to
look at the headers and treat messages with mailing list headers
differently. Perhaps the issue isn't in DMARC but how the information
from DMARC is applied.
From my reading of sections 10.2, 5.2, and 15.4 of
draft-kucherawy-dmarc-base-04, you can't do that and still claim
receiver conformance with that draft (although there's the question of
whether one should claim conformance to an informational draft in the
first place).
(Conformance is voluntary. People choose the specs they want to
support, no matter the formal status.)
To the extent that varying from -base produces better results at
reasonable cost, then receivers will do it. The challenge is to offer
clear and compelling guidance about that variance and gain support for
its use.
For example, using the mere presence of List-* header fields as a basis
for deviating from a domain owner's DMARC policy request would seem an
easy attack vector by bad actors.
On the other hand, using the presence of the fields, combined perhaps
the list signing the message (and covering those fields) and with the
receiver's knowing that the list operator has a good reputation might
make quite a bit of sense...
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net