Re: DMARC: perspectives from a listadmin of large open-source lists

[Miles Fidelman <mfidelman@meetinghouse.net>]

John Levine wrote:
>> Meanwhile, I'm still not proposing that we train users, or even
>> anti-spam software to "recognize" or "validate" mailing list addresses.
>> What I'm proposing is a way to send mail from a list with From:
>> @domain-of-list.tld so that it can pass DMARC/SPF/DKIM, and allow the
>> left side of the @ sign to identify the actual sender of the message.
> Yes, that's the 1980s percent hack.  Do you really think it's a good
> idea to reinvent it to get around the defects of the FUSSP du jour?
>
> I agree that it's not plausible to train people to recognize mailing
> list addresses.  But what you're proposing is to train people to be
> phished, by telling them that a rewritten address from something that
> looks sort of like a mailing list is equivalent to whatever the
> original address was.  Given that DMARC is supposed to be an
> anti-phishing tool, this completely defeats the point.
>
> R's,
> John

It strikes me that the real way to address some of these issues is to 
add a few new headers to SMTP - to get rid of the overloading of the 
From: and Reply-to: headers associated with mailing lists.  An SMTP 
extension that would absorb some of the well-known and well-understood 
functions of list software.

I have to think a bit about what the full list of headers might be, but 
I'd start with:
From: <original author>
List-From: <mailing list>
Reply-To-Original:
Reply-To-List: <set by list manager>
List-Name:
DKIM signature stuff applied to original message
DKIM signature applied by list server

That might be a start toward a real solution that solves both sets of 
problems.

Then again - it's late, I'm in the middle doing my taxes - this might 
not make any sense at all.

Miles Fidelman

-- 
In theory, there is no difference between theory and practice.
In practice, there is.   .... Yogi Berra