On Wed, Apr 16, 2014 at 07:16:26PM -0400, Miles Fidelman wrote: > Well... yahoo, aol, and others DO keep whitelists now - and various > mechanisms for getting on them. Yahoo doesn't, however, seem to > apply their whitelisting methods to their own mail that's passed > through DMARC. Hmmm..... All of the major mail providers are almost certainly using some kind of machine-learning that takes multiple things into account, including SPF and DKIM results, message body filtering, etc. The problem is that this only helps people who are receiving mail at yahoo.com or gmail.com, etc. The problem that Yahoo seems to be fixated on, at least with respect to their desire to enable DMARC p=reject, is that they don't trust that *other* people will have good enough spam detection schemes such that they can detect messages sent to other mail destinations (for example, such as alice@xxxxxxxxxxx) where the recipient claims to be bob@xxxxxxxxx. So the problem is not yahoo maintaining a set of whitelists, it's everybody *else* needing to have a good enough machine learning algorithms so they can detect bad e-mail. If everyone did, then you wouldn't need any DMARC policy other than p=none. They could all look at the SPF and DKIM, the message body, their ML algorithms that have led them to conclude that ietf@xxxxxxxx is a valid email list, and not a spammer trying to look like a mailing list, and make the appropriate ham vs spam determination. In some sense the DMARC p=reject is basically Yahoo saying, "I don't trust your spam algorithms, so please use a really bone-headed algorithm which rejects any message claiming to be from username@xxxxxxxxx if the sender and the from field don't match." Regards, - Ted