After some discussion on ietf-822, two viable methods were identified
for DMARC for mailing lists (ML). Someone cutely suggested to do both:
*Tweak DKIM signatures*
To be applied on sending, produce a partial author's domain signature
which can be verified along with the ML signature. To be refined a
bit, in order to account for chaining from a ML to another.
*Whitelist*
To be applied on receiving, for MLs endorsed by each domain's users.
Both methods require each domain to build a DB of MLs. That can be
done by a "manual process" (see picture) for the time being. The
process consists of each ML admin extracting a per-domain list of
subscribers and sending it to the relevant domain postmaster, after
obtaining subscribers' consent. The volume of data is so huge as to
be akin to an on-line demonstration.
Will the admins go marching in?
Doing nothing will result in a mix of three reactions. 1, ML admins
changing the From: of domains who publish strict DMARC policies; 2,
some users changing mailbox provider; and 3, less domains publishing
strict DMARC policies. The combined effect seems to weaken both DMARC
and mailing lists.
Ale
list-db.gif
Description: GIF image
list-db.gif