On Tue, May 6, 2014 at 11:03 PM, Terry Zink <tz...@exchange.microsoft.com>wrote:
> This is more or less John Levine's suggestion from several days ago: it is > a whitelist. The difference here is that policy is queried via DNS (along > with a different alignment than the From: addres) rather than distributed > and applied internally as a domain/IP DMARC exclusion list. > Ideas like TPA, ATPS and others are essentially whitelists owned by the domain whose mail might get re-signed, versus John's notion of one or more master whitelists for all known potential legitimate re-signers (e.g., mailing list operators). The differences between the two proposals amount to how one queries the whitelist and how one indicates to the receiver that there's reason to query the whitelist in the first place. ATPS made it to RFC (experimental) status and has open source support, but hasn't seen much uptake. That tells me that this hasn't, at least up until now, been an interesting problem operators have needed to solve. As I recall, TPA is the same as ATPS except that it establishes stricter requirements on the message in relation to the subject domain, and requires a query 100% of the time. The problem as I see it is that the various additional requirements don't really add much new security; the third-party signature is itself a strong enough signal without also checking that this header field or that one is present. > The technical implementation of this is not that difficult, I don't think. > Instead, I think the biggest obstacle is who signs up to maintain and > support such a list, perhaps indefinitely. > Right. -MSK
_______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)