TLDR summary: addressing "legitimate-but-unauthorizable" mail is my answer to Scott
Kitterman's question: "How do we define the scope of work for this list?".
Yup.
Yes, I get it, I guess in my own jaded way I don't think there is any
amount of money that Yahoo and AOL can spend that will fix things
(because email isn't owned by Yahoo or AOL). BUT, if Yahoo or AOL is
willing to experiment, let that experiment be me! ...
Sounds good.
I don't think there is/was a way for Yahoo to fix the estimated few
hundred mail systems acting on DMARC policies, especially since most are
not controlled by Yahoo. Maybe they could have published a list of
30,000 mail systems that are white-listed, but wouldn't that just be a
publication of 30,000 holes to exploit?
Um, wait. Are we doing experiments or not?
In answer to your second question, well, no. There's no reason to think
that "can't be described by DMARC" is related to "insecure". A lot of
them, like the WSJ and the schoolteacher who wrote to me, don't even have
inbound MTAs to attack.
Regards,
John Levine, [email protected], Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
