Scott Kitterman writes: > Approximately as soon as list-id enables DMARC bypass,
It never will. (BTW, it's List-Post that's relevant.) It's the subscriber's action of posting to the list that enables the bypass. That means that a successful attack of the kind that triggered the April Fiasco requires an iterated phish: first you have to phish *me* to post to your list, then you need to modify my post to phish *Murray*. If you have an alternative threat model in mind, please explain it. > the bad guys will start adding it to everything. They already have, according to Franck. That doesn't matter, though, except as it requires more space in the "apparent lists" database. Again, that's an implementation issue. _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
