On Mon, Apr 13, 2015 at 12:58 AM, Stephen J. Turnbull <
turnb...@sk.tsukuba.ac.jp> wrote:
> Douglas Otis writes:
>
> > If the DMARC domain fails to step up, then a reasonable fallback
> > could require the display of the Sender header offering the needed
> > alignment.
>
> I don't understand this. We already see that most professional
> spammers exhibit From alignment on much of their traffic. Sender
> alignment is just as easy to implement, even if we could expect MUAs
> to conform to the "required display of Sender field". Users do not
> understand the Sender field as far as I can tell.
>
To the extent comprehensible, TPA is meant to allow author A to tell
receiver B that mail that has C in (for example) the List-ID field should
be treated as though it came from A. However, I concur that it means an
impostor can simply do what the TPA record says and thereby succeed; few of
the properties TPA identifies are authenticated in any way. It might be
helpful to get alignment working through paths that invalidate SPF or DKIM,
but compared to the fact that it basically advertises how to get a "pass"
in an invisible way, it's more scary to me than not. Now, if that isn't
the case, then I suggest the document falls short of explaining how this is
not an attack vector.
Also, Doug insists that this is not registration, but I don't know how he
can claim this since it requires a DNS entry for every {A, C} pair that
exists which must then be queried by every B that might receive mail from
C. Unless I'm not understanding use of the term, that's exactly how I
believe we've been using "registration" lately, and the argument on the
table is that any registration scheme is basically a non-starter for
operators for which the cardinality of AxC is or could be large.
As I've pointed out before, ATPS, DSAP, and all other earlier proposals
that required a registration step have also been non-starters. I'm not
picking on TPA here; I'm saying this entire family of solutions is probably
not the best use of our time, and I suggest there's empirical evidence to
support that claim.
-MSK
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
