On 2024-04-12 at 19:01:21 UTC-0400 (Fri, 12 Apr 2024 19:01:21 -0400) Greg Troxel <g...@lexort.com> is rumored to have said:
> Also, I'm not sure you said this, but I would say: > > default whitelist is dkim only No. Existing practice is that we trust both DKIM and SPF, and I think that's fine. There are no unauthenticated listings extant in the default rules and no new ones should ever be created. > This means > > All existing entries are converted to dkim as well as we can, not > worrying if they break. We'll prune ones that don't work as dkim, > and add a signing domain as we figure it out, as a lightweight > thing. But all non-dkim entries go away. > > to consider a new entry, it must be dkim > > or maybe that's already true s/dkim/authenticated/ and it's already true. This is part of how the default welcomelist has lost alignment with its origins. The original was a tactical mitigation against heavy phishing in a largely unauthenticated-sender world, deployed in part to forestall extreme responses to the problem of everyone claiming to send Paypal notifications to everyone. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
