>The fact is that a vocal constituency led by John Levine made it extremely clear that MLMs were out of scope >and there was zero interest on the part of the MLM community in discussing ways in which MLMs could be made to >work in an email authentication framework even if there were any MLM operators willing to do so. ... DMARC must be in pretty bad shape if its proponents have to resort to malicious lies like this. It saddens me that Mike, who I used to consider a friend, would do so. My position has always been perfectly clear: mailing lists are not broken, they provide a significant service to individual Internet mail users, and it is not our job to spend time and money to solve other people's problems. DMARC, like all of its predecessor authentication schemes, has a model of the way people send mail that describes much but not all of the actual mail people send. There are an awful lot of ways that people send mail, so this shouldn't come as a surprise to anyone. The invariable next step is that some of the proponents of the scheme, rather than recognizing and admitting to its limitations, declare that the mail the scheme can't describe is bad and must be eradicated, with the term "forged" often misused. People who have been around long enough will remember when the SPF crowd demanded that everyone stop forwarding mail, or a few people wanted to apply strict DKIM ADSP to everything. Mailing lists are the most obvious sending scenario that DMARC doesn't describe, but it's far from the only one. I have always said that DMARC is useful for a lot of mail, such as the "spam cannon" stuff (a comment on the volume, not necessarily the character) that Mike's employer sends, or that Paypal and banks send. As we have seen, it fails miserably for domains with non-employee live users. Without exception the ways proposed to change MLMs to "to work in an email authentication framework" have involved removing useful features added over the decades that our users use and like, so it also shouldn't be a surprise that we're not interested in bowdlerizing our service to solve their problem. We also note that many of the proposed solutions are overcomplicated and unlikely to work in practice (original-authentication-results) or just plain won't work (turning off all subject tags, message footers, and other message modifications.) If the DMARC crowd were interested in being good net citizens, there is a way to deal with DMARC's limitations that is straightforward but not free: whitelisting. Most of the lists I see sign their mail, and they generally use static IP sending addresses, so they're not hard to characterize. The set of mailing lists and other legitimate mail sources that DMARC doesn't describe is not enormous, and it should be possible to develop shared whitelists for them, if someone were willing to pay for doing so. (This is a much smaller problem than trying to whitelist all "legitimate" mail.) If the list-whitelist group said that lists need to sign their mail or use an unshared IP to get whitelisted, you would find little resistance, both because most of us do that already, and because it doesn't ask us to make our lists worse for our users. Unfortunately, we've seen no willingness to spend their money to help us solve their problem, and far too much of do it our way or else, because we are bigger than you are. R's, John