On 16 April 2014 21:57, John R Levine <johnl@xxxxxxxxx> wrote:
This means that mailing lists (and other forwarding cases) are enforced
into having DMARC records in order to forward DMARC originating messages,
which seems reasonable, and the Sender addresses must also be relatively
sensible, which they normally are already.
How do I distinguish the nice mailing lists at ietf.org from random evil spammer domains sending spam with List-ID headers?I may be missing something.
Every proposal I've seen like this ends up tripping over the fact that there is no technical way to distinguish between mail from real mailing lists and spam that looks like it's from mailing lists. Hence you need a whitelist for the real mail, at which point all of the mechanism beyond the key for the whitelist (probably a DKIM signature) is superfluous.
There's no more need for whitelist here than on DMARC mail as things stand, of course, but it does mean that senders need tracking as well as authors, and senders need to be explicit and reliable. I'd assume reputation services (of which whitelists are just an extreme case) would be in play regardless.
Let's consider the message to which I am replying.
Right now, my MUA treats this as a message "From John R Levine <johnl@xxxxxxxxx>". This means that any policy on the message origination comes from looking solely at the taugh.com domain. We'll pretend it has a DMARC policy. Herein lies the Yahoo/DMARC issue, because unless your policy essentially stipulates that the IETF is allowed to spoof you, we're stuck.
What I'm suggesting is not that, but that my MUA notes that the poloicy of taugh.com allows different senders, and switches to considering the sender domain - in this case, ietf.org. Any p or sp tag in the ietf.org policy is ignored, however, and treated as p=reject/sp=reject; in addition since taugh.com has a DMARC policy, it must also have one to forward taugh.com email.
My spam filtering now has two cases to consider: Firstly, it needs to decide whether ietf.org is behaving legitimately, and secondly whether I want to read mail from you.
You can put it another way, too - my proposal is essentially saying that the From dictates failure policy, reporting, and handling, but the Sender is used for enforcement.
One additional thing is required from MUAs, though, which is to ensure the UI clearly shows that the message is not sent by you (directly, at least); this allows a human reader to easily see it's a mailing list message - or for that matter easily see it's from an unexpected sender.
Dave.