On Thu 11/Aug/2022 06:28:53 +0200 Murray S. Kucherawy wrote:
On Wed, Aug 10, 2022 at 10:44 AM Douglas Foster wrote:
Telling domain owners not to use p=reject is not the solution; the real
solution is for evaluators to act wisely, and to review other available
evidence carefully. Our document can provide guidance on wise use,
starting with a discussion of possible failure modes. >
[...failure modes...]
Similarly, creating a de-munging strategy presents a cookbook that might be
able to construct a message that will fail DKIM in a way that something
later in the processing order will forgive.
DKIM's aim was to eliminate that fuzziness. Unverified signatures bear no
value.
Moreover, we would have to be sure of being able to describe a very high
percentage of all mutations MLMs do in a manner that's hard for receivers to
reverse incorrectly. But those mutations range from simple (subject
tagging) to quite complex (MIME wrapping or restructuring). We've
considered both of these approaches before, and have never managed to
convince ourselves we could achieve an acceptable level of success. There
was, so far as I know, not even a single experimental implementation of any
of the proposals.
There is at least one experimental implementation of reverting MLM
transformation. I use it every day, and it works quite well, subject to a
couple of limitations:
* It works only with mailing lists that behave "well" (all the ones I know),
* It works only with "light" original signatures.
That's the /complicated/ de-munging strategy. The much simpler approach I
described upthread would work 100% of cases for lists that add the Author:
field. It is a little less secure, as you need to trust the mailing list
signature.
We seem to be left with the idea of telling domain owners that "p=reject"
causes damage at a level that does not justify the protection it provides.
Domain owners wishing to protect themselves obviously have disagreed with
that value judgement, but the community for which the IETF speaks, I would
argue, is larger than that.
"Classic" mailing lists, like this, account for a minor part of mail traffic.
Therefore, the visible damage is not so big as to desist from using DMARC,
methinks.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
