On 8/24/2014 4:20 PM, Matt Simerson via dmarc-discuss wrote: >> And the argument that it eliminates phishing is just wrong. > > Yes, and your straw man is wearing no clothes. I stated that phishing > abuse for *my* domains has been *reduced* in both volume and
There is an important difference between 'eliminated' and 'reduced'. That difference tends to be lost in these discussions, yet the difference means that we need to carefully consider cost/benefit tradeoffs, rather than assuming that DMARC is an absolute benefit. For reference, it's also important to distinguish between one's first-hand experience and what is experienced across the Internet. It's not that one's own experience is not relevant. It's that it is not definitive. > duration, and I attributed that change to implementing a p=reject > DMARC policy. Before DMARC, I got lots of bounce messages, now I get > DMARC reports during phish attempts. > >> I get just as many phishing emails as I did before AOL and Yahoo >> instituted DMARC p=reject. > > These are *not* mutually exclusive experiences. Exactly. And seeking to reconcile them requires juggling trade-offs and carefully considering alternatives. > DMARC is only blocks phish *from* domains that publish strong DMARC > policies to receivers that validate and enforce those strong > policies. That statement is simply and seriously incorrect. All sorts of phishing still gets through, relative to DMARC's protection. And if that observation is not clear to anyone reading this note, then I strongly urge them to learn more about the various and sophisticated ways that phishing is performed. Let me emphasize that I'm not quibbling DMARC fine points. I'm pressing for diligently understanding the limits of its benefits. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net _______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
