Quoting Craig Sanders via luv-talk (luv-talk@luv.asn.au):
DMARC fundamentally broken if it uses the From: header instead of the envelope From address.
What can I say? I dislike the scope of what DKIM / DMARC aspires to cover.
And there is never **any** excuse for munging the Reply-To: header. Doing that is broken, and has been known to be broken for many years.
{shrug} I've been singing in that choir long enough that I'm not sure even how long it's been since I joined it, just that my vocal cords are sore.
I guess i'm not telling you anything you don't already know, but SPF works because it doesn't care about headers.
What can I say? I like SPF exactly for its modest tailoring of scope. ;->
If the list admin is worried about subscriber forgery then the list server can check SPF on incoming messages.
If I had my way, everyone would do SPF and be at least a little leery of DKIM / DMARC / DomainKeys. But rejections based on DKIM / DMARC / DomainKeys are nonetheless likely to start being a real pragmatic problem, and unfortunately is likely to require pragmatic measures. I don't like those, either (so far), but must acknowledge the real-world problem.
How about a domain-keys derivative that restricts itself to checking the envelope From address as it should? From: headers are comments, not addressing information.
That'd be nice. We could call it Sort-of-like SPF. ;-> -- Cheers, "If you see a snake, just kill it. Rick Moen Don't appoint a committee on snakes." rick@linuxmafia.com -- H. Ross Perot McQ! (4x80)