On Sun 23/Feb/2025 16:40:00 +0100 Richard Clayton wrote:
IMO it is not all that simple ...
It may seem complicated because 9 steps are a lot, but it's not more difficult
than COI...
... and note that there is a simpler idea
being discussed (by some of the usual suspects) to use OAUTH2 to
directly indicate that a sign-up to a newsletter or mailing list is
authorised ... but there are wrinkles to that as well.
draft-jenkins-oauth-public is a different thing. It's concerned with using
OAUTH2 to authenticate clients. My fix-forwarding idea is about automating
user's confirmation.
Perhaps you could elucidate step 9 more clearly
Example.com recognizes messages that belong to this mail flow by
(1) authenticating example.org and (2) checking the List-ID:
header field.
what does "authenticating example.org" mean ??
It verifies example.org's signature, either ARC or DKIM. Then checks if the
List-ID is in the recipient's "allowlist".
I think it is what is
buried in the middle of #6 but I am not 100% sure.
No, Alice's confirmation is just her acknowledging the request.
also, there's no reason not to use "allowlist" and "blocklist" and I
suggest you do so to avoid various trans-Atlantic sensitivities.
You may call it "allowlist". The point is that it is a /per-user/ allowlist.
Something like allowing personal address book addresses, but with authentication.
Also one of the wrinkles I didn't mention above applies here ...
"Receiving domains cannot reject messages belonging to an accepted
agreement" ... I expect you want that to be a MUST NOT
I meant cannot, for the reasons explained there. A site having p=reject
requires fake messages to be rejected. However, when you receive a message
having "Arc-Authentication_results: ... dmarc=fail ..." you cannot reject it or
your user will be unsubscribed. That's a mailing list fault. They shouldn't
have accepted that message.
and that will
not work out in the case of a shared sending IP because other abuse sent
from that IP will (sooner or later) cause the IP to be blocked and the
authorised flow will suffer the same fate as the abusive mail.
No, you do that by domain name, not IP.
Thanks for reading
Ale
--
_______________________________________________
dmarc mailing list -- [email protected]
To unsubscribe send an email to [email protected]
