On Wed, Apr 30, 2014 at 11:16 AM, Dave Crocker <dcrocker@xxxxxxxx> wrote: > On 4/30/2014 10:03 AM, Andrew G. Malis wrote: >> >> Phillip, >> >> Of course the way to make mailing lists work with DMARC would be to >> look at the headers and treat messages with mailing list headers >> differently. Perhaps the issue isn't in DMARC but how the information >> from DMARC is applied. >> >> >> From my reading of sections 10.2, 5.2, and 15.4 of >> draft-kucherawy-dmarc-base-04, you can't do that and still claim >> receiver conformance with that draft (although there's the question of >> whether one should claim conformance to an informational draft in the >> first place). > > > > (Conformance is voluntary. People choose the specs they want to support, no > matter the formal status.) > > > To the extent that varying from -base produces better results at reasonable > cost, then receivers will do it. The challenge is to offer clear and > compelling guidance about that variance and gain support for its use. > > For example, using the mere presence of List-* header fields as a basis for > deviating from a domain owner's DMARC policy request would seem an easy > attack vector by bad actors. > > On the other hand, using the presence of the fields, combined perhaps the > list signing the message (and covering those fields) and with the receiver's > knowing that the list operator has a good reputation might make quite a bit > of sense... Spam filters should know about things as important as mailing list subscriptions. It the mailing list has appropriate spam ingress controls, is authenticated using DKIM and there is evidence that the user has subscribed then the spam filter can whitelist all the messages from that list. And to the other conversations, we are talking about draft- here. And that isn't the same as standard. In fact one of the requirements for being granted standard would be to come up with answers to these issues. -- Website: http://hallambaker.com/