Re: DMARC: perspectives from a listadmin of large open-source lists

[Doug Barton <dougb@dougbarton.us>]

On 04/13/2014 02:10 PM, John Levine wrote:
>> Building on the FROM_IS_LIST idea, rather than having the From be
>> rewritten to simply "list@example.com" why not establish a convention
>> (dare I say "standard?") to encode the real from address and list to the
>> left of the @ sign? The rub with DMARC/SPF/DKIM is the domain itself,
>> not the whole address.
>
> This is a minor tweak of the "authenticated phish via on-behalf-of" proposal.

It's not, actually. The defects in XOAR are obvious even to me.

> Spammers can send mail that looks a lot like mailing lists, you know.

What does that have to do with anything? If the message authenticates 
via DMARC/SPF/DKIM then that's a point in its favor in terms of it not 
being spam. If the message comes through with a From: that "looks like a 
mailing list" who cares? Even if that message passes all of the other 
spam filtering mechanisms between it and the user, the user is likely to 
know if they are signed up for a mailing list that the spam message is 
trying to fake, even if it isn't obvious on its face that it's spam to 
start with.

>   From: Paypal Security <security@paypal.com.lists.rbn.ru>

DMARC/SPF/DKIM will actually benefit that message if it has a valid 
signature. Nothing "mailing list" related about it.

> But wait, I have an even better idea, Nobody ever thought of this one!
>
>   From: Paypal Security <security%paypal.com@lists.rbn.ru>

Same here. And again, if the message comes through with a valid 
signature it's less likely to get caught as spam.

Meanwhile, I'm still not proposing that we train users, or even 
anti-spam software to "recognize" or "validate" mailing list addresses. 
What I'm proposing is a way to send mail from a list with From: 
@domain-of-list.tld so that it can pass DMARC/SPF/DKIM, and allow the 
left side of the @ sign to identify the actual sender of the message.

Doug