Dear John, Comments inline: On Jun 20, 2014, at 8:07 AM, John Levine <jo...@taugh.com> wrote:
>> Also, it's a dance to put more policy data into the DNS in any form. The >> "DNS people", as we appear to like to call them, don't like use of DNS to >> store policy data even though it's extremely convenient for us to do so. >> At a minimum, if we try to do that with TXT records again, we can expect a >> huge amount of friction. We need to be sure that battle is worth having, >> and I'm not convinced that it is given the caveats above and in Stephen's >> email. > > I don't see that as a problem. We already have RFC 5518 vouch by > reference which is very close if not identical to what you'd need > here. Strongly disagree. DMARC is an anti-phishing solution deployed by financial institutions interested in suppressing phishing attacks. Phish related fraud was not effecting their bottom-line, it was customer loss resulting from phish related abuse that drove this effort to protect the From address. DMARC is not about dealing with high volume spam. Especially since methods for dealing with spam are wholly ineffective against phish. We offer similar anti-phishing services for corporate customers. Reputation had proved hopelessly ineffective. The issue is rather simple. Only the sending domain knows with certainty when their From address is being spoofed. As such, content of the From address can not be effectively assessed by third-party reputation services, nor are normal spam collection techniques comprehensive or effective. DMARC feedback provides what is needed but contains PII and should not be generally shared with various third-parties. Although users may have never sent a message to a mailing-list, DMARC rejection will expose who subscribed to which mailing list nevertheless. Since third-party allowances are absolutely critical for maintaining user privacy, TPA-Label expects this information be directly provided by the DMARC domain. Publication can be easily delegated, but only the DMARC domain is authoritative about which services are being used or which of these services are abusing their From headers. >> Finally, no DNS-based third party whitelisting scheme has ever gotten any >> traction. > > That, on the other hand, is a problem. While meeting with management in Europe, it seems there is some interest in our company in offering a TPA-Label zone as a service for DMARC domains. Those interested can contact me privately for appropriate contacts in their area. Perhaps this will also assuage Stephen's DNS related issues. Publishing in DNS should never be an issue for mailing-lists. I will attempt to create a draft outlining how a subscription process can send a request via DMARC feedback for authorizations to be granted. It seems wrong to suggest that Yahoo and AOL will be the only domains able to benefit by enhanced anti-phishing strategies, and that this issue will soon fade. Unless DMARC is able to ensure adoption of its recommended handling does not result in service disruption or massive complaints, a reject recommendation will quickly devolve into a far less effective quarantine. If this further devolves into discardable, it will significantly erode email integrity and its usefulness as offering effective notifications. Regards, Douglas Otis _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
