Mailing lists are supposed to be a closed group. This means that posts should only be accepted if they are verifiably from the subscriber indicated in the RFC5322.From address. This requirement means that a list needs a mechanism for verifying the RFC5322.From address, and the mechanism needs to be applicable to 100% of the accepted subscriber base. A possibly incomplete list of options would be:
· SPF PASS when the RFC5321.MailFrom address matches the RFC5322.From address · strict alignment of RFC5322.From domain with DKIM PASS domain, · local policy overrides to provide the equivalent of SPF PASS, and · challenge-response email exchange (“Did you really send this?”) At present, we have only one official mechanism for verification of RFC5322.From, which is DMARC. However, DMARC is currently limited to domains that publish a DMARC policy, and this is a small subset of all potential subscriber domains. Without a reliable validation mechanism, mailing list posts cannot be trusted to represent their stated author. DMARC actually creates a bizarre situation: · When the mailing list message produces DMARC FAIL with p=reject, the message could have been, and hopefully was, verified by the list server. Therefore, the RFC5322.From identity can probably be trusted. · However, when the mailing list message produces DMARC NoPolicy, the list could not perform verification, and therefore the RFC5322.From identity may be an impersonation. · When the mailing list message produces DMARC FAIL with p=none, the list could not reliably reject on DMARC FAIL, so the message carries the same impersonation risk as DMARC NoPolicy. Mailing Lists that want all of their messages accepted will need a way to verify every subscriber’s posts. Since this algorithm has not yet been defined, and since improved disposition of mailing list messages is an important component of our charter, we need to provide an algorithm for 100% verification. Given that ARC is how we expect lists to notify evaluators of their verification results, we also need to ensure that ARC’s Result terms include all of the evaluation techniques used by our new algorithm. Doug Foster
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
