After some discussion on ietf-822, two viable methods were identified for DMARC for mailing lists (ML). Someone cutely suggested to do both: *Tweak DKIM signatures* To be applied on sending, produce a partial author's domain signature which can be verified along with the ML signature. To be refined a bit, in order to account for chaining from a ML to another. *Whitelist* To be applied on receiving, for MLs endorsed by each domain's users. Both methods require each domain to build a DB of MLs. That can be done by a "manual process" (see picture) for the time being. The process consists of each ML admin extracting a per-domain list of subscribers and sending it to the relevant domain postmaster, after obtaining subscribers' consent. The volume of data is so huge as to be akin to an on-line demonstration. Will the admins go marching in? Doing nothing will result in a mix of three reactions. 1, ML admins changing the From: of domains who publish strict DMARC policies; 2, some users changing mailbox provider; and 3, less domains publishing strict DMARC policies. The combined effect seems to weaken both DMARC and mailing lists. Ale
Attachment:
list-db.gif
Description: GIF image
