I cannot agree with your logic. Assuming that you want your email gateway to accept this message, it is because the list and the organization behind it have a positive reputation with you. Your trust in this message is not because you have a prior relationship or reputation data each individual list member. Indeed, we do not even know the complete list of members from whom reputation data would need to be assembled.
DMARC requires one of two actions: - either the list confirms its identity to your email gateway by altering the From Address, or - your email gateway is configured to confirm the list identity using other parameters such as the an SPF-verified SMTP From Address. There is no evasion of identity. By either method, there is formal verification of identity where there was previously no verification. I understand the disruption when From-Rewrite was not available and AOL was not willing to create exceptions. I understand the perceived inconvenience of a rewritten From address. But I see the network of trust only enhanced, not diminished, by the DMARC mechanism. Doug Foster -----Original Message----- From: dmarc [mailto:[email protected]] On Behalf Of Joseph Brennan Sent: Wednesday, September 16, 2020 11:03 AM To: IETF DMARC WG Subject: Re: [dmarc-ietf] Issue submission - Mailing list security and potential solutions using DMARC What I mean is that mailing list software developers were obliged to find a variety of ways to evade dmarc enforcement, for the sake of delivering legitimate mail, and mailbox server developers learned to allow mangled mail for the same reason. Widespread acceptance of email that evades an authentication method diminishes its effectiveness. On Wed, Sep 16, 2020 at 10:46 AM Dotzero <[email protected]> wrote: > > > > On Tue, Sep 15, 2020 at 12:02 PM Joseph Brennan <[email protected]> wrote: >> >> >> >> On Tue, Sep 15, 2020 at 11:55 AM John Levine <[email protected]> wrote: >>> >>> In article >>> <CAMSGcLDKRMbJ_30jZdKE_6hkKaktwBxU6_E=E=bnk2_ckmn...@mail.gmail.com> >>> , Joseph Brennan <[email protected]> wrote: >>> >"Domain administrators must not apply dmarc authentication to >>> >domains from which end users send mail that may be re-sent via >>> >lists or automatic forwarding." -- done. Then dmarc will be simple >>> >and reliable, and bank statements and similar messages are >>> >protected as intended. Building in a standard workaround >>> >significantly weakens the whole concept, doesn't it? >>> >>> Unfortunately, we have ample evidence that domain operators will >>> ignore that advice. >>> >>> According to someone who was in the room when Yahoo flipped the >>> switch, the person in charge said words to the effect that I know >>> this will screw up everyone's mailing lists and I don't care. >>> >> >> The irony is, the result being to diminish the effectiveness of dmarc for everybody. >> >> >> Joseph Brennan >> Lead, Email and Systems Applications >> Columbia University Information Technology >> >> > > Can you support your assertion with data? There was zero change post-yahoo/AOL implementation vs pre-yahoo/AOL implementation for the organization I worked for at the time. > > Michael Hammer -- Joseph Brennan Lead, Email and Systems Applications Columbia University Information Technology _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
