> Mailing lists are supposed to be a closed group. This means that posts > should only be accepted if they are verifiably > from the subscriber indicated in the RFC5322.From address. This requirement > means that a list needs a mechanism > for verifying the RFC5322.From address, and the mechanism needs to be > applicable to 100% of the accepted > subscriber base.
None of this is true in general. Some mailing lists operate so that only subscribers can post. Many do not. Even those that do generally do not insist on authentication. Some will use DMARC policy to determine what the purported From domain's policy is. Some do not. > At present, we have only one official mechanism for verification of > RFC5322.From, which is DMARC. However, DMARC > is currently limited to domains that publish a DMARC policy, and this is a > small subset of all potential subscriber domains. Because that's what DMARC is designed for. > DMARC actually creates a bizarre situation: DMARC does not create a bizarre situation. Internet email is inherently an unauthenticated thing. DMARC, along with authentication mechanisms (currently SPF and DKIM), addresses that point in the manner for which it was designed. DMARC was not designed to address it for cases where domains have not chosen to publish DMARC policies. I believe we have been through this multiple times and that working group consensus is against you on it. The working group does not want to extend DMARC beyond that design point. Barry _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
