On Tue, 29 Apr 2014, Dave Crocker wrote:
On 4/29/2014 6:03 AM, Mikael Abrahamsson wrote:
I quickly went through
https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base/?include_text=1
which I guess is the draft we're discussing? As far as I can tell, it
doesn't "inform" about the problem DMARC causes in conjunction with
quite prevalent mailing list functionality.
Well, it does, but not in the most pedagogical fashion one might wish for.
"Obscure" wouldn't be an inappropriate characterization...
Appendix C. DMARC XML Schema
...
Descriptions of the PolicyOverrideTypes:
...
mailing_list: Local heuristics determined that the message arrived
via a mailing list, and thus authentication of the original
message was not expected to succeed.
I also found text in the A.3:
"A.3. Sender Header Field
It has been suggested in several message authentication efforts that
the Sender header field be checked for an identifier of interest, as
the standards indicate this as the proper way to indicate a re-
mailing of content such as through a mailing list. Most recently, it
was a protocol-level option for DomainKeys, but on evolution to DKIM,
this property was removed.
The DMARC development team considered this and decided not to include
support for doing so, for two primary reasons:
...
2. Although it is certainly true that this is what Sender is for,
its use in this way is also unreliable, making it a poor
candidate for inclusion in the DMARC evaluation algorithm."
So... just because this is a hard problem to solve doesn't mean it's a
good idea to just gloss over it and say "screw it" for mailing lists.
--
Mikael Abrahamsson email: swmike@xxxxxxxxx