-------- Original message --------From: "Douglas E. Foster" <fost...@bayviewphysicians.com> Date: 6/3/19 9:59 AM (GMT-05:00) To: dmarc@ietf.org Subject: [dmarc-ietf] Mandatory Sender Authentication Our real goal needs to be mandatory sender authentication. Any secure email gateway must go through these steps:
Source Analysis: Filter message from unwanted sources Sender Authentication: Filter messages that are attempting impersonation Content Analysis: Filter messages with unwanted content Content filtering always requires exceptions, and those exceptions are granted based on the sender. Such exceptions are only safe and appropriate if the sender is verifiable. If the exception is applied to an unverified sender, it is possible for a spamming impersonator to gain the elevated trust and reduced filtering which was only intended for the trusted sender. So Sender Authentication needs to become mandatory: Senders MUST implement SPF or DKIM, and SHOULD implement both. Although the MX list becomes a default SPF list for those who do not publiish a policy. MTAs MUST ensure that DKIM signatures remain verifiable. If they are unwilling or uinable to do so, they should reject the message with a PermError. Forwarders MUST either forward with breaking DKIM signatures, rewrite messages under their own identity, refuse the message, or discard the message as spam. IETF MUST provide a way for intermediate systems (both spam filters and list fowarders) to insert content under their own signature, without breaking original signatures. This will have implications for MUAs.. Sure it will be hard, but has this not been what you have been trying to achieve for 15 years? SPF and DKIM provided the enabling technology, but they were deployed as sender options. Doug Foster
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc