Scott Kitterman writes: > I wasn't attempting to do it purposefully badly.
I didn't mean you were *trying* to do it badly. However, using fs= for *all* addressees on *all* outgoing mail seems like the worst possible scenario. > I'm not aware of any significant DKIM signing done at the MUA > level. I think (at least for real DKIM signatures) Exactly. But the "Big 4" MUAs are in close cooperation (FSVO "close") with the "Big 4" MTAs. They could do it in the MUA, or they could invent a simple protocol to ask their MTAs to do it for the MUA. > you have to have the MTA do it to mitigate risk of signature > breakage to to MTA level transformations. If the signature has to > be done at the MUA, No, it doesn't *have* to be done at the MUA. I'm saying it *could* be done at the MUA, and with the exception of MTAs that rewrite Message-ID, I would think the risk for weak signatures is fairly minimal. (I know, I know, "famous last words".) > then we're back to this only works once MUA upgrades are done. I > thought we'd agreed forcing MUA modifications was not a post for > success. > > If I misunderstood the proposal and it requires someone to be > keeping a list of mailing lists used (either globally or by > individual users), then I think this is not a good idea at all. I > don't think any tracking/whitelisting design is going to succeed at > scale. I can't speak for Murray, but I can't see that his proposal does. My (informal) proposal is a way for the "Big 4" to get into this without a huge risk of replayable messages going to spammers on a large scale. > My view is that either we find a reasonable way to make this idea > work without a list of mailing lists or we toss it on the pile of > things that won't work. Unfortunately, we already have something that doesn't work, it is deployed at scale, and it continues to cause annoyance at scale (the guy next to me at the PyCon sprints just got a messaged rejected because he replied to a ".dmarc.invalid" address). Really, isn't the question whether Yahoo! and AOL are willing to do *anything* to mitigate? We need some participation from them or it's useless, and if at least one does participate, it's a win. What are they willing to think about implementing? _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
