On 5/10/2015 3:54 PM, John R Levine wrote:
For the current question of a private list of mailing lists that get
special treatment on outgoing mail, it still seems to me that small
systems can just allow double signing for everything, and large
systems can come up with a pretty good list of their own from a
combination of their own incoming mail and the DMARC aggregate
reports. The reports will tell you what IPs are sending mail with a
combination of your own DKIM signature (valid or broken) and a second
signature, so if a host is doing that, and the IP's reputation is not
awful, the second signature is an excellent candidate for that list.
I have about 35,000 aggregate reports here, should do a little data
mining and see how well it works.
I agree.
Small systems can manage their DNS resigner management. Generally, the
Mail/DNS team are the same folks. Larger systems do have the mail
reporting data and SMTP rejection signals with the programming
resources and tools to come up with up with administrative system
scripts, including creating/updating zone files, if allowed. It can
be prepared it so it is readable by the DKIM signer engine. It
doesn't have to be done via the DNS protocol but it can certainly by
managed as well.
--
HLS
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
