J. Gomez writes: > Hello, I have this comment: What do you think are the probabilities > that YAHOO/AOL, etc, would go through the trouble of identifying > and declaring the many third parties needed to be allowed to DKIM > re-sign their messages, so that YAHOO/AOL users could painlessly > post to mailing lists in a world where DMARC happened to be widely > deployed?
First, in the usual case the mailing list is explicitly mentioned in the addressee list at the time it reaches the destination domain, so it automatically becomes a delegate. So there would be no need to specify "t=" in those cases. Nor do I see a serious risk of exploitation, since the implicit list is restricted to the explicit (non-bcc) addressees. DKIM sign To and Cc and replay attacks become quite difficult, I should think. I guess these considerations are what Dave meant by "the protocol doesn't require that", but you'd have to ask him. Do you have a specific reason to think explicit delegate lists would commonly be needed? For your actual question, I can't speak to probability, but I think that it would be reasonably easy to delegate the identification task to the users. Just as many webmail services allow you to "whitelist" senders such as your bank, they could have a separate "delegate" list (probably labeled "mailing lists"). Then the MUA module would generate the "t=" parameter of the DKIM-Delegate header based on the user's whitelist and the addressee fields. I don't see a problem with this from the mailbox provider's point of view, and it would be greatly appreciated by many mailbox users. _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
