J. Gomez writes: > given that the "traditional practice of mailing lists adding > tags to Subject and footers to the message body" breaks DMARC, [...] > I vote for steam-rolling mailing lists configured old-style > to the history books. Mailing list operators just need to > take ownership in the Header-From for the messages whose DKIM > signature they break, and all is back to working great again!
In most cases it would be inappropriate for mailing lists to take ownership of the messages. They are merely the distribution mechanism, and wrecking (IMHO) the From: header to avoid a verification failure seems the wrong way to go in the long run, even if it has had to be adopted as a workaround in the short run. As for subject tags and list trailers, at least the former is really helpful to me as a user (sorry, Dave! ;-) ), as it lets me know that a given message is in the context of a public or semi-public discussion. I'm not against the idea that mailing list software might have to adapt to the new reality (of the need for protection against spoofing), even though there will be a lengthy transition period. But we can also consider whether there are any changes to DKIM which would enable mailing lists not to break, or at least, which would not require changes which negatively affect the user experience for mailing list subscribers. Please forgive me if this has been discussed before (it seems inconceivable to me that it hasn't), but it should be possible to specify a format for header tags such that the tag is not included in the DKIM signature check for the Subject: line. rfc6376 has: Note that Verifiers may treat unsigned header fields with extreme skepticism, including refusing to display them to the end user or even ignoring the signature if it does not cover certain header fields. Would it be so awful to change that to: Note that Verifiers may treat unsigned header fields (or unsigned parts of header fields) with extreme skepticism, including refusing to display them to the end user, displaying them with an indication of unreliabiliy, or even ignoring the entire signature if it does not cover certain header fields. So, risking Dave's wrath once again by discussing possible UI approaches to verification information, if a header tag format were specified (for example) to be contained within square brackets, the UI could display the verified part one way, and the tagged-and-ignored part another way. I do freely admit that I don't know the implications of making it possible to sign only part of a given header. And I suspect that my suggestion may belong more on a DKIM discussion list than a DMARC discussion list... Anne. -- Ms. Anne Bennett, Senior Sysadmin, ENCS, Concordia University, Montreal H3G 1M8 a...@encs.concordia.ca +1 514 848-2424 x2285 _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc