On Wed, 7 Dec 2022, Neil Anuskiewicz wrote: > I wish that certain widely used distribution list software could do the > same.
So you admit that most mailing lists are not compatible with an enforcing DMARC, so my original point stands. It's a bit annoying that after almost two weeks, the only responses in this thread have been about this side issue, with my main point unaddressed. I'm going to try to fight the real problem with a coinage, "Baka-DKIM" (and its cousin "Baka-SPF"). (In case of any Pop Cultural Osmosis Failure here, "Baka" means fool in Japanese.) Baka-DKIM is the error of upscoring messages for being DKIM signed without caring about *what* the email address being attested actually was. (The avoided "downscore" when DMARC says to enforce signing doesn't count. Still, when the mail is from a stranger, that case must not be in total upscored relative to the no-DKIM and no-DMARC case, everything else equal.) If your configuration is not Baka, then you have nothing to fear from the replay attack. The replay attack only allows an attacker to pretend to *continue* to own an e-mail address they just lost; it never lets them impersonate someone who already has a good reputation. If you are Baka but apply a downscore for blind-carbon-copy of equal-or-greater magnitude than your Baka upscore, you are also immune to the replay attack. But you will still be wide open to other spammers. ---- Michael Deutschmann <[email protected]> _______________________________________________ Ietf-dkim mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-dkim
