Hi all, bear with me for a quick recap, please (or skip to the next paragraph.) SPF arose around 2000 and became popular within a few years. However, SPF breaks forwarding. So, as an authentication alternative, DomainKeys came along, which became DKIM in 2007. However, DKIM lacks a policy. It merely permits a domain "to claim some responsibility for a message". Policy discussions began in 2007 with DKIM Sender Signing Practices (SSP), which became ADSP in 2008, was published in 2009 and became historic in 2013. DMARC started in 2012, non-standard publication is in 2015, standard publication is expected later this year, after 11+ years of IETF discussion. However, DMARC breaks mailing lists. To address "the issues with indirect mail flows", the DMARC WG came up with the ARC protocol, 2019, a flop. A new protocol, codenamed DKIM2, is taking shape at the IETF now. It is intended to solve not only the mailing list problem, but also DKIM replay and the backscatter generated by provisionally accepted messages that are then bounced. However, DKIM2 is unlikely to become widespread quickly, in part because of the changes it requires at the SMTP level. The reason why ARC has not bee successful is that it isn't clear how to distinguish a legitimate forwarder from a malicious one, both of which ARC-seal. In fact, an attacker can produce an ARC set that is the last one after a chain composed of any domains she wants. IMHO, the only solution is to ask the recipient, for each forwarded flow, including mailing lists, whether it is wanted. I drafted a protocol for this, but I didn't have a chance to discuss it in the DMARC WG because, after years, it closed in a hurry. Other WGs or the ISE are not inclined to consider proposals that no one has implemented yet. So I'm looking for aspiring pioneers for this protocol (or at least figure out what would be wrong with it.) https://datatracker.ietf.org/doc/html/draft-vesely-fix-forwarding Fancy? Best Ale --