On 20/01/2021 10:50, Stefano Bagnara via mailop wrote: > I'm looking for brainstorming and updated industry "standards" from people > handling outgoing SMTP services or ESP exporting APIs to "request > subscriptions" (confirmed opt-in).
For mailing lists, it occurs to me that we should now be at the point where SPF and DKIM are ubiquitous enough that sign-up can be by email only and they should stop accepting sign-up on a website. To subscribe to a mailing list you should need to send an email (to the "sign-up address") and then your request would result in the usual confirmation process only if your email passes SPF/DKIM (or DMARC). If the sender fails to be authenticated then just discard the request. If that was implemented everywhere, wouldn't that stop subscription bombing? It would at least stop small Mailman deployments from being abused, and they already have to handle incoming spam so there's no difference there. The UX is different because you'd have to use mailto: addresses instead of a form on a website but you could decide to trigger that from JavaScript based on the domain they enter (to redirect to alternative special-case flows for different providers). mailto:list-subscr...@example.com?subject=Your%20ideas%20are%20intriguing%20to%20me,%20and%20I%20wish%20to%20subscribe%20to%20your%20newsletter. -- Simon Arlott _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
