AFAIK, at the moment, MLMs doing transforms on headers to make messages
DMARC-safe have no reliable way of knowing whether sender domains intended them
to do so or not: there’s a heuristic that just says that in general, a DMARC
domain enforcing an active quarantine or reject policy probably wants
transforms.
Wouldn’t it be nice if you could ask for MLMs to transform, just using a DMARC
policy, even p=none, so that you could test with a live environment containing
MLMs that work around DMARC policy? Or you could ask for *no* transform, even
for p=quarantine or p=reject, so that your DMARC policy can be used to
legitimately restrict usage to directly-sent email?
For me the first is more important: I could make the case for DMARC much more
strongly if I could rely on MLMs to implement a reliable workaround, under
sender control, so DMARC-sceptics could challenge themselves to the actual
consequences of the policy, without their enforcement, or continue to support
traditional forwarding and/or mailing lists as neutral actors while positively
impacting DMARC-safe mail. Without the workarounds being guaranteed, the
current state of play, there’s no DMARC-safe future that works for everybody,
IMO.
It’s reasonable to argue that these workarounds are horrible and I would. It’s
also, unfortunately, everyday reality nowadays with two long-standing freemails
using DMARC and all the major MLMs with support, and I have since been induced
by practical experience to believe that, honestly, what matters for most MLM
users is utility over functional purity. I have had at least one subscriber
tell me that they _prefer_ the Mailman 2.16+ workaround because now they get
the list name in the display name instead of the Subject making it easier to
scan, and they can whitelist the list address to avoid the spam box or get
notifications for list mail. I can’t even make myself care that Reply-to-all is
broken—because that’s inevitably what people want for most lists, anyway.
Heresy, I’m sure. :)
I still think DMARC’s use of the From: header is its biggest failing. Far
better would have been to take the high road and use a dedicated
Authenticated-Sender: (or likewise) header. MUAs would change, to explicitly
distinguish authorship from “sendership”. But we are where we are. I could not
call myself a fan of DMARC; I just think it’s inevitable.
Cheers,
Sabahattin
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc