[Mailman-Users] cause of bounces

[Grant Taylor]

On 10/18/2017 12:35 PM, Mark Sapiro wrote:
> DMARC is not the problem. It is perfectly reasonable for say, irs.gov to
> publish DMARC p=reject as long  as mail From: irs.gov is not an
> employees personal post to an email list. Presumably the IRS would have
> rules against that.
> 
> The problem is when general ESPs that provide addresses in their domain
> for anyone to use for any personal purpose publish DMARC p=reject.

I question what the fine line distinction will be for what domains can / 
should use DMARC (or the next disrupting technology).  Further, I 
question why domains that don't qualify, should be excluded from using 
said technology.

I suspect that we should also agree to disagree on this.

> ARC has the potential to help. When say a yahoo.com user posts to a list
> on my server and the list sends the post to a hotmail.com user, ARC
> allows me to certify that Yahoo's DKIM signature was valid when I
> received the mail, then I broke the sig but resigned the mail with my
> domain's sig and sent it on to Hotmail. Now there is a chain by which
> Hotmail can verify my sig and the fact that I certify Yahoo's sig. The
> crux however is Hotmail has to trust me. Now if I'm GoogleGroups,
> Hotmail will probably trust me but if I'm mail.python.org there might be
> a mechanism by which I can ask Hotmail and every other ISP to trust me,
> but is that going to work in practice. I think that remains to be seen.

It sounds like you have the same concern / unknown that I do.  What do I 
need to do to get <someone> to trust my ARC signature.  -  Is ARC 
overloading my published DKIM key without clearly stating that it's 
using it?  Or is there something else that I'm not aware of?  Or is it 
simply a white list, or trust list, type issue.

If it's the latter, I feel like ARC has a design flaw before it even 
gets out of the gate.  I hope that's not the case.



-- 
Grant. . . .
unix || die