[mjevans]

I think the workflow is the issue with http(s)-based email list sign-ups.

Solution: Require sign-ups by email, so the end account must actively send your mailserver a registration message. This also turns an open-loop control system into a closed loop control system, which is inherently easier to secure / keep safe.

[gregmac]

How would this be better? It's trivially easy to spoof email addresses. Someone could sign you up easily, for example.

It's also easy to send "from" an addresses that passes SPIF/DKIM but bounces inbound mail -- not sure what reason someone would have for this other than hurting the service reputation or acting as a DoS of sorts, but it can be done.

[3np]

> It's trivially easy to spoof email addresses. Someone could sign you up easily, for example.

Proper DMARC configuration is table stakes to send e-mail, which makes that anything but trivial.

[viraptor]

But neither the newsletter host nor the email user has any input into how dmarc/dkim/spf are implemented. Only the user's email provider does. And if that's a small business domain, it's likely not very strict with the rules.

[namibj]

I thought DMARC/DKIM was necessary for delivering to Gmail for years now; in any case, there should be few who can't use a backup email to subscribe, as your newsletter won't be the only thing that has these anti-spoof requirements.

[viraptor]

Not necessary. Just very highly recommended. I can still deliver my cron emails from a rando host successfully.

[namibj]

That doesn't rule out DKIM, which only requires the `From:` header's domain to list a pubkey and the email to include a DKIM signature from a matching private key. SPF is the one that regulates which hosts a domain's outbound SMTP servers are on.