I think the original scenario you described could be implemented by bad players as follows: - set up a mailman instance with DMARC support, that forges the XOAR header. - Ensure that the mailman outgoing mail passes SPF+DKIM for the domain in question.
Right, except it doesn't even have to be mailman, just spamware that creates headers that look like mailman's. Like I said, if you trust the sender to be a real list, deliver its mail. If you don't, don't. I don't think there are any major conceptual challenges here.
Those uses shouldn't be considered valid, and NYTimes has already moved away from that, at least as of my test 5 minutes ago.
Well, the WSJ does. This is a perfectly reasonable way to send mail, endorsed by decades of practice.
|Date: Tue, 8 Apr 2014 02:24:13 |From: "wsjol@xxxxxxxxxxxxxx" <wsjol@xxxxxxxxxxxxxx> |To: johnl@xxxxxxxxx |Subject: WSJ.com - Ukrainian leaders, U.S. slam Russia over new unrest;The envelope bounce address is <bounces@xxxxxxxxxxxx>, again perfectly reasonable.
By implement DMARC, I meant implement XOAR headers; VERP is too useful
As described above, XOAR is not useful because you can't trust it. Regards, John Levine, johnl@xxxxxxxxx, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail.
<<attachment: smime.p7s>>