-------- Original message --------From: "Douglas E. Foster"
<fost...@bayviewphysicians.com> Date: 6/3/19 9:59 AM (GMT-05:00) To:
dmarc@ietf.org Subject: [dmarc-ietf] Mandatory Sender Authentication Our real
goal needs to be mandatory sender authentication. Any secure email gateway
must go through these steps:
Source Analysis: Filter message from unwanted sources
Sender Authentication: Filter messages that are attempting
impersonation
Content Analysis: Filter messages with unwanted content
Content filtering always requires exceptions, and those exceptions are granted
based on the sender. Such exceptions are only safe and appropriate if the
sender is verifiable. If the exception is applied to an unverified sender,
it is possible for a spamming impersonator to gain the elevated trust and
reduced filtering which was only intended for the trusted sender.
So Sender Authentication needs to become mandatory:
Senders MUST implement SPF or DKIM, and SHOULD implement both.
Although the MX list becomes a default SPF list for those who do not publiish a
policy.
MTAs MUST ensure that DKIM signatures remain verifiable. If they are
unwilling or uinable to do so, they should reject the message with a PermError.
Forwarders MUST either forward with breaking DKIM signatures, rewrite
messages under their own identity, refuse the message, or discard the message
as spam.
IETF MUST provide a way for intermediate systems (both spam filters and
list fowarders) to insert content under their own signature, without breaking
original signatures. This will have implications for MUAs..
Sure it will be hard, but has this not been what you have been trying to
achieve for 15 years? SPF and DKIM provided the enabling technology, but they
were deployed as sender options.
Doug Foster
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
