[dmarc-discuss] pounding nails with DMARC screwdriver, was Google & IPv6 SPF check

John Levine johnl at taugh.com
Tue Jun 12 18:17:24 PDT 2012


>> List op: We sign our mail.  Why not just whitelist us?
>
>When you say "whitelist us" what do you mean?

What it sounds like.  If your users want mail from the lists to which
they subscribe, whitelist the lists.  The number of places sending
real list mail is small enough that this shouldn't be an unduly labor
intensive job.

> And whom are you proposing to do the whitelisting?

The same people who manage the rest of your inbound mail handling, of
course.  They're not going away just because you've added a layer of
DMARC.

Mailing lists don't have any problems that DMARC can solve.  They're
not a significant conduit for spam or phishing.  They're not a major
target for forgery.  If you're losing mail because the contributors'
domains publish p=quarantine or reject, the correct response is "don't
do that", for the same reason they shouldn't publish ADSP discardable.
(Indeed p=reject is a ticket to disaster since the rejections will get
random subscribers bounced off the lists, as we found in real life due
to someone's overenthusiastic implementation of ADSP.)

Changing lists to work around p=reject won't help, since there are
lots of other ways that individual users send mail from random places,
e.g. collecting and sending their mail via Gmail or Yahoo.

If I sound exasperated, it's because we went through this exact same
exercise with DKIM and ADSP, and it's annoying to find that nobody was
paying attention.  Rather than doing list software mutations that
nobody will use, encourage lists to sign with DKIM, which will not
require changing the operation of any list I know, whitelist the
fricking things, and be done with it.

R's,
John


More information about the dmarc-discuss mailing list