On Tue, Apr 15, 2014 at 7:18 PM, John R Levine <johnl@xxxxxxxxx> wrote:
Sure, whitelisting is one possible solution. Publishing a whitelist is easy, but populating it, managing it, making it robust, making it fair, and protecting it against fraudulent entries needs to be sorted out, whether it's a public whitelist or a private one. Are we certain, though, that it's flatly impossible to adjust lists in such a way that their traffic could be described by these mechanisms?
-MSK
The reason it's not special is that it's just the most visible example of a wide variety of legitimate useful mail that DMARC can't describe, and that are broken by DMARC policies other than p=none.
As I see it, this is probably the core of the stalemate. I agree that DMARC, and its various antecedents that we all know and love, can't precisely describe mailing list traffic as it's currently defined. What I observe, though, is that there's typically lots of talk about what we can't do to add that capability, and almost none about what's actually possible. People get discouraged and give up. This isn't a path to success.
I'm all for being as incremental and non-destructive as possible when building these things. I also don't think it's possible to be completely invisible 100% of the time.
Sure, whitelisting is one possible solution. Publishing a whitelist is easy, but populating it, managing it, making it robust, making it fair, and protecting it against fraudulent entries needs to be sorted out, whether it's a public whitelist or a private one. Are we certain, though, that it's flatly impossible to adjust lists in such a way that their traffic could be described by these mechanisms?
-MSK