Richard Damon writes: > On 5/9/14, 10:13 PM, John Levine wrote: > > The correct response is either for senders to stop publishing DMARC > > policies that don't match the way their users use mail (fat chance), > > or for recipient systems to skip the DMARC checks on mail from sources > > that are known to send mail that recipients want but that doesn't > > match DMARC's narrow authentication model, e.g., mailing lists and the > > Wall Street Journal's mail-an-article button.
GMail is already doing this, although we don't know the algorithm precisely. If GMail continues and others join, ostracism of providers who continue to use inflexible bouncing policies instead of smart filters becomes more plausible. I know that's not satisfactory for people whose lists are populated by AOL and Yahoo users, but I don't know what to say to them. Their users are DoS'ing their mailing lists with their addresses, even if they don't know it. > But the wrapped message could pass the DMARC DKIM signature check, if it > will exactly matchs the message that came from Yahoo/AOL. (which the > phish won't). This says that the List Headers, modified subject, list > headers and footers should be added to the wrapping message, not the > wrapped message, which also says that the MUA shouldn't throw this away, > but combine these with the original message (but in a way that makes it > clear which is which). Sure (and that is what I intended when I suggested wrapping in the first place), but (a) MUAs don't support DMARC yet, and all the signs say that the yahoos will deliberately delay implementing MUAs that do, and (b) many MUAs don't support wrapped messages well at all. As John put it, >> Failing that, all we have left is hacks, none of which are >> satisfactory. We'll see how the on-going talks at the IETF go. Some results should be forthcoming "shortly" (that's hearsay, and I can't say any more because that's exactly what I was told by a source close to the center of the process). ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
