On Wed, Apr 30, 2014 at 11:16 AM, Dave Crocker <dcrocker(_at_)bbiw(_dot_)net>
wrote:
On 4/30/2014 10:03 AM, Andrew G. Malis wrote:
Phillip,
Of course the way to make mailing lists work with DMARC would be to
look at the headers and treat messages with mailing list headers
differently. Perhaps the issue isn't in DMARC but how the information
from DMARC is applied.
From my reading of sections 10.2, 5.2, and 15.4 of
draft-kucherawy-dmarc-base-04, you can't do that and still claim
receiver conformance with that draft (although there's the question of
whether one should claim conformance to an informational draft in the
first place).
(Conformance is voluntary. People choose the specs they want to support, no
matter the formal status.)
To the extent that varying from -base produces better results at reasonable
cost, then receivers will do it. The challenge is to offer clear and
compelling guidance about that variance and gain support for its use.
For example, using the mere presence of List-* header fields as a basis for
deviating from a domain owner's DMARC policy request would seem an easy
attack vector by bad actors.
On the other hand, using the presence of the fields, combined perhaps the
list signing the message (and covering those fields) and with the receiver's
knowing that the list operator has a good reputation might make quite a bit
of sense...
Spam filters should know about things as important as mailing list
subscriptions.
It the mailing list has appropriate spam ingress controls, is
authenticated using DKIM and there is evidence that the user has
subscribed then the spam filter can whitelist all the messages from
that list.
And to the other conversations, we are talking about draft- here. And
that isn't the same as standard. In fact one of the requirements for
being granted standard would be to come up with answers to these
issues.
--
Website: http://hallambaker.com/