Scott Kitterman writes: > Yeah. I don't think it's possible to allow sending by arbitrary > 'authorized' third parties without also making it possible to allow > sending by anyone.
I don't know how you'd go about authorizing the third party and validating the authorization, but AFAICS an authorized sender, with that address in the Sender field and DMARC-but-with-Sender-Alignment, does for third parties what DMARC does for first parties in From. (Cue Douglas Otis pitching draft-otis-tpa-label and Hector Santos pitching some policy framework with authorization via DNS, but I don't think that auth-by-DNS scales to humongous mailbox providers.) > > >2. Enables third parties to send arbitrary content that will > > > pass (yes, this is the point, but it's also a negative to > > > some degree). ... Sure. So are the ads that some providers post on their webmail clients, and is allowing first parties to send mail at all. (I wish my employer would stop, or at least slow down, for example.) I really don't see how unwanted content from *authorized* 3rd parties can be considered to count against these proposals. If the recipient doesn't like it, they revoke the authorization; problem solved. > For replay protection, I think the Message ID could work, but I > think the list would have to change to use its own Message ID > associated with its signature. You can have your cake and eat it, too. The list can sign a Resent-Message-ID (as well as the original if it wants to). > The need to keep and consult a database of historical Message IDs > does add a substantial negative in my book. Not if you do it already, and many MUAs already do or have an option to do it. Remember, anti-spam measures don't have to be perfect, they just need to make the mischief unprofitable. _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
