> On Nov 27, 2022, at 8:19 PM, Michael Deutschmann <[email protected]> wrote: > > (I've noticed the "rechartering" thread, but I don't think it should > squelch this since I am speaking meta to the replay exploit, not > suggesting technical measures.) > > More than a hundred e-mails have streamed through my in-box lately, all > about a silly exploit in DKIM. While it is real, I immediately notice > that it can't really do any damage if the recipient is using DKIM > *properly*. > > It's important to remember that DKIM/DMARC is an anti-forgery protocol, > not an anti-spam protocol. > > There are *two* ways an anti-forgery technique can provide useful input > to an anti-spam system: > > First, if the anti-forgery technique can assert that a message *is* > forged, and not just failing the test because the alleged sender isn't > participating, then it is reasonable to ignore any heuristics indicating > the message is not spam, and fail it. > > Second, if the anti-forgery technique asserts the message is genuine, and > *YOU* *KNOW* *THE* *RECIPIENT* *TRUSTS* *THAT* *SPECIFIC* *SENDER*, then > it is reasonable to ignore any heuristics indicating the message is spam, > and pass it. > > Going further is folly. Without trust in the identity claimed, all > anti-forgery-system blessings just become Habeas Haikus (anyone remember > that?). > > Last I looked, DMARC makes no allowance for the mailing list problem; > either you know none of your users posts to any mailing list or your DMARC > policy has to be inert. > > Practically, only an address from a public e-mail provider can be "forged" > by the hack. And those providers cannot assume they have no users who use > mailing lists, so (if sane) their DMARC will always be inert.
Unless I’m misunderstanding you’re saying those with an enforcing DMARC policy can’t successfully send to mailing lists. I’m doing it now so I don’t think DMARC has to stay inert if mailing lists. That’s a bit of a generalization. Neil _______________________________________________ Ietf-dkim mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-dkim
