"Doctor, it hurts when I do this." "So don't do that."
>X = me/PayPal.com >Y = this list/[email protected] >Z = Google's Gmail service [1] I understand your point, but I think that it would be a better idea to put Paypal's transactional mail and mail from its staff into different domains with different reputations and different handling. If you're telling recipients to throw away paypal.com mail with missing or broken signatures, your messaging is going to be vastly more confusing and harder to follow if you add "oh, except for these special cases for stuff passed through mailing lists, and be sure only to do the special cases for real mailing lists." "No, we don't have a list of every real mailing list in the world. Why do you ask?" Or to look at it another way, if a piece of mail arrives from some random mailing list like thing with a paypal.com return address, and a header that purports to say that the message was signed when it arrived at the list, how likely is it that it's mail from you vs. mail from a phish kit trying to fake out verifiers? R's, John PS: Not to pick specifically on Paypal, but you are of course the poster child for phish targets so egregious that it's worth the risk of losing a little real mail to get rid of the phish. PPS: [email protected] would be a much cooler address _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
