[dmarc-discuss] mailing lists, was SPF pass / fail

[John Levine]

>> - operate as a strict forwarder, where the message is not changed and
>> the validity of the DKIM signature is preserved
>> - introduce an "Original Authentication Results" header to indicate
>> you have performed the authentication and you are validating it
>> - take ownership of the email, by removing the DKIM signature and
>> putting your own as well as changing the from header in the email to
>> contain an email address within your mailing list domain.
>
>I challenge everyone reading this to identify a mailinglist that will
>be on board with implementing those suggestions.   To be clear, I
>hereby assert that NO reasonably utilized mailinglist will make those
>changes, in fact I think they will laugh at the suggestions (if they
>haven't already).

Viz: Ha, ha, ha.  Years of experience with SPF and ADSP have
consistently showed that if an address appears in mail from a real
mailing list, and the SPF or ADSP fails, all that shows is that the
people who run the DNS don't talk to their users.

My lists all have valid DKIM signatures from the list domains, which
should make it easy for receivers to recognise list mail.  I am surely
not going to break software that has been working fine for over a
decade to work around limits in this month's authentication
experiment.

Reasonable suggestions to list operators include:

- Sign all mail with a stable domain, such as the list's domain.

- Validate all mail sent through the lists; at the least ensure
that it's from people allowed to post to the list.

- Spam filter mail sent to the list, to catch spam sent from
compromised accounts.

I'm not opposed to adding Authentication-Results headers, but I do not
believe they are useful for anything other than debugging.

R's,
John