On Thu, Jan 23, 2014 at 9:17 AM, Franck Martin <[email protected]>wrote:
> > On Jan 22, 2014, at 8:38 PM, Murray S. Kucherawy <[email protected]> > wrote: > > > The feature request asks for a way to whitelist deliveries for which > there's "p=reject" and DMARC fails as long as there's a List-Id: or > List-Post: field on a message. This is basically a filter bypass feature > that's at the control of the sender, and it seems like a really bad idea as > described. > > > > There would need to be more to it than just this. Can you develop the > idea more? What should be in the field if it's present? Should it be tied > to something else? > > > > It is not at the control of the sender, it is at the control of the > receiver. > > The receiver needs to enter the IP of where mailing lists are sending > from. It is up to the receiver to decide if it should override the policy. > This feature is part of the spec where receivers can override the policy > and indicate it in the reports.. > Ah, I misread the request. I thought the request was just to skip DMARC enforcement if those header fields are present regardless of origin. I think John's point holds though, namely that the receiver will have to keep that list pretty current, or find some secure way of doing so automatically. > Because some mailing lists like google-groups send from the same IP as > other mail streams, you only want to override the mail that is obviously > from a mailing list. The easy indicator I found is the presence of the > List-id or list-post header. > The risk, of course, is that there might be a way to send abusive mail from/via those IP addresses, and simply tack those header fields onto the message. That bypasses DMARC entirely. So the receiver enabling this will need to understand how the sender/relay uses those IP addresses and trust that it's unlikely to change. > > you could make it more complicated, and tie IPs with the presence of the > header and its content (usually the name of the mailing list), but also it > is common that several mailing lists are hosted on the same machine, so I > don't see the need to make the criteria of surgical precision. > There are other possibilities. For example, List-Id: is generally the list's submission address with the "@" changed to a ".". You might try saying "If it comes from IP X, the value of this field ought to look like *.Y, where Y is the Organizational Domain Name associated with X". And maybe the domain name part of that needs also to be DMARC-aligned. I'm making this up as I go, but you get the idea. -MSK
_______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
