On Mon, Apr 13, 2015 at 12:58 AM, Stephen J. Turnbull < turnb...@sk.tsukuba.ac.jp> wrote:
> Douglas Otis writes: > > > If the DMARC domain fails to step up, then a reasonable fallback > > could require the display of the Sender header offering the needed > > alignment. > > I don't understand this. We already see that most professional > spammers exhibit From alignment on much of their traffic. Sender > alignment is just as easy to implement, even if we could expect MUAs > to conform to the "required display of Sender field". Users do not > understand the Sender field as far as I can tell. > To the extent comprehensible, TPA is meant to allow author A to tell receiver B that mail that has C in (for example) the List-ID field should be treated as though it came from A. However, I concur that it means an impostor can simply do what the TPA record says and thereby succeed; few of the properties TPA identifies are authenticated in any way. It might be helpful to get alignment working through paths that invalidate SPF or DKIM, but compared to the fact that it basically advertises how to get a "pass" in an invisible way, it's more scary to me than not. Now, if that isn't the case, then I suggest the document falls short of explaining how this is not an attack vector. Also, Doug insists that this is not registration, but I don't know how he can claim this since it requires a DNS entry for every {A, C} pair that exists which must then be queried by every B that might receive mail from C. Unless I'm not understanding use of the term, that's exactly how I believe we've been using "registration" lately, and the argument on the table is that any registration scheme is basically a non-starter for operators for which the cardinality of AxC is or could be large. As I've pointed out before, ATPS, DSAP, and all other earlier proposals that required a registration step have also been non-starters. I'm not picking on TPA here; I'm saying this entire family of solutions is probably not the best use of our time, and I suggest there's empirical evidence to support that claim. -MSK
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc