Re: (DMARC) Why mailing lists are only sort of special

Mark Andrews <> Thu, 17 April 2014 03:02 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 2CD9F1A03F7 for <>; Wed, 16 Apr 2014 20:02:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.173
X-Spam-Status: No, score=-7.173 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dc6j9QbXfQxF for <>; Wed, 16 Apr 2014 20:02:49 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id A6F7F1A00C2 for <>; Wed, 16 Apr 2014 20:02:49 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 142B42383D5; Thu, 17 Apr 2014 03:02:33 +0000 (UTC) (envelope-from
Received: from (localhost []) by (Postfix) with ESMTP id 2F2C6160054; Thu, 17 Apr 2014 03:04:44 +0000 (UTC)
Received: from ( []) by (Postfix) with ESMTPSA id F1766160030; Thu, 17 Apr 2014 03:04:43 +0000 (UTC)
Received: from (localhost [IPv6:::1]) by (Postfix) with ESMTP id 860BB13F6F28; Thu, 17 Apr 2014 13:02:29 +1000 (EST)
From: Mark Andrews <>
References: <> <alpine.BSF.2.00.1404142150430.32657@joyce.lan> <> <alpine.BSF.2.00.1404151832460.38826@joyce.lan> <> <> <> <alpine.BSF.2.00.1404161654430.2065@joyce.lan> <> <> <>
Subject: Re: (DMARC) Why mailing lists are only sort of special
In-reply-to: Your message of "Wed, 16 Apr 2014 23:42:01 +0000." <>
Date: Thu, 17 Apr 2014 13:02:29 +1000
Message-Id: <>
Cc: "" <>
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 17 Apr 2014 03:02:52 -0000

Part of the problem is that DKIM requires that email passes through
the signer's MTA to get the signature added.  Per user certs chained
to the published cert would address this issue.

This would allow someone using gmail to send as  Yes,
it requires all the PKI stuff like CRL's for compromised accounts.
You report spam that passes DKIM to who then revoke the
cert.  The CRL could be a DNS entry with a low negative TTL for
non-existing entries.  Note these CERT's don't need to be tied to
account names.  Yahoo would know who they were issued to but no one
else.  Multiple users could in theory use the same CERT.  Vetted
mailing list could use a CERT after re-writting Subject, attaching
footers etc.  This CERT would be marked as "on behalf of" indicating
that it is not the actual user that is signing the message but a

This still requires a mailing list to sign the outgoing email and
have a collection of CERTS to do this with.  Mailing lists without
a CERT would reject incoming messages which would fail DKIM reporting
back to Yahoo why.  This would be a trigger to get a mailing list
CERT.  The yahoo user would need to sign off that they intended to
send to a mailing list before a CERT was issued.  This step could
be automated, but would be a brake on process abuse.

The email would have contain the necessary linkage information in
the headers to get back to the Yahoo's public key.

This isn't a perfect system but it would allow Yahoo to control who
gets to send email as

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: