>..., you >could create a mechanism where the originator's site gets some sort of >cryptographic data from the mailing list site and include that in its >signed message, such that when the eventual recipient gets the message, >it can verify that it came from a mailing list site that the originator >explicitly sent the mail to. The Sympa list manager implemented that in what appears to be a fully RFC compliant way about a decade ago: http://www.sympa.org/manual/x509 I don't get the impression it's very widely used. Every discussion list security proposal I've ever seen includes building a whitelist of trustworthy mailers, to avoid being spoofed by bad guys that look like discussion lists but aren't. Once you've done that, I've never understood the threat model of anything more complex than delivering the mail from the whitelisted sources, perhaps after a cursory check to ensure that it looks like the mail you were expecting. R's, John