On Tuesday, April 14, 2015 11:56:20 PM Stephen J. Turnbull wrote: > Scott Kitterman writes: > > I wasn't attempting to do it purposefully badly. > > I didn't mean you were *trying* to do it badly. However, using fs= for > *all* addressees on *all* outgoing mail seems like the worst possible > scenario.
I think it's the only one that scales, so worst or not, I think it's what you get. > > I'm not aware of any significant DKIM signing done at the MUA > > level. I think (at least for real DKIM signatures) > > Exactly. But the "Big 4" MUAs are in close cooperation (FSVO "close") > with the "Big 4" MTAs. They could do it in the MUA, or they could > invent a simple protocol to ask their MTAs to do it for the MUA. > > > you have to have the MTA do it to mitigate risk of signature > > breakage to to MTA level transformations. If the signature has to > > be done at the MUA, > > No, it doesn't *have* to be done at the MUA. I'm saying it *could* be > done at the MUA, and with the exception of MTAs that rewrite > Message-ID, I would think the risk for weak signatures is fairly > minimal. (I know, I know, "famous last words".) 8 bit to 7 bit transformations are also not rare. > > then we're back to this only works once MUA upgrades are done. I > > thought we'd agreed forcing MUA modifications was not a post for > > success. > > > > If I misunderstood the proposal and it requires someone to be > > keeping a list of mailing lists used (either globally or by > > individual users), then I think this is not a good idea at all. I > > don't think any tracking/whitelisting design is going to succeed at > > scale. > > I can't speak for Murray, but I can't see that his proposal does. I haven't reviewed his in detail, so I've no opinion. I was talking about this proposal. Not getting fancy with MIME parts would be nice, so if this one can work, I already like it better than Murray's, but if we have to pile this onto the stack of nice ideas, then that's probably what I'll look at next. > My (informal) proposal is a way for the "Big 4" to get into this > without a huge risk of replayable messages going to spammers on a > large scale. Which one is that? > > My view is that either we find a reasonable way to make this idea > > work without a list of mailing lists or we toss it on the pile of > > things that won't work. > > Unfortunately, we already have something that doesn't work, it is > deployed at scale, and it continues to cause annoyance at scale (the > guy next to me at the PyCon sprints just got a messaged rejected > because he replied to a ".dmarc.invalid" address). > > Really, isn't the question whether Yahoo! and AOL are willing to do > *anything* to mitigate? We need some participation from them or it's > useless, and if at least one does participate, it's a win. What are > they willing to think about implementing? Depends on who needs to change to mitigate things. If (as an example only) we decide that From rewriting is the best (least bad) solution, then that's a mediator change. We don't need Yahoo and AOL except to the extent they operate as mediators also, but AFAIK, that's different groups at Yahoo and AOL. Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
