On Tuesday, March 24, 2015 1:54 AM [GMT+1=CET], Stephen J. Turnbull wrote: > J. Gomez writes: > > > Verifiable authenticity of email greatly depends on DMARC's > > success. Because without DMARC's success the authenticity of email > > can only be verified heuristically and not systematically. > > This is an error of logic. *Authenticity* (defined as "did the > message satisfy DMARC From alignment when injected?") of *each* > message *can* be verified independently of other messages, and if From > alignment is verified, the message *is* authentic (modulo black > helicopters with 4096-bit encryption breaking equipment). It's what > to think about non-verifiable mail that becomes unclear.
I think we are not talking about the same thing: when I said "depends on DMARC's success", I meant "depends on DMARC's success as an implemented technology in the real world", whereas it seems you understood "depends on a successful DMARC check". So I say it again, now in fully qualified terms: Verifiable authenticity of email greatly depends on DMARC's success as an implemented technology in the real world. > Since the "important" mail is direct mail, From alignment will be > preserved until received by the addressee. Therefore list behavior > only affects DMARC verifiability of list traffic, *not* those other > mail flows, as far as I can see. I explain: if mailing-lists configured old-style keep DMARC from being a success in the real world, then mailing-lists are hindering the extra notch of trustworthiness that DMARC could bring to important email communications for end users as a whole. So it's not about individual messages, as you seem to be talking about, but about the big picture. And it is that big picture which is begging for mailing-lists operators to abandon their old-style practices and to begin to take ownership in the Header-From of the email they relay and modify while in-flight rendering its original DKIM signature invalid. > The "requirement" you propose is not implementable in a software > system alone, whether it is satisfied or not cannot be verified from > the behavior of software alone, and therefore cannot be posited as a > requirement in the sense used in software engineering. I know that DMARC is not the silver bullet. That's way I said it "brings an extra notch of trustworthiness" to email, I didn't say DMARC brings final and ultimate trustworthiness. Regards, J.Gomez _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc