Scott, Thank you! >>I think the bar to convince me that it's okay to throw away aligning to >>5322.From is in scope for the working group is really >>high when the charter defines DMARC as "Domain-based Message Authentication, >>Reporting & Conformance (DMARC) uses >>existing mail authentication technologies (SPF and DKIM) to extend validation >>to the RFC5322.From field".
Two weeks ago, John Levine reminded us that DMARC v1 was already deployed and this effort was to perfect the wording. Suddenly, we have a small but powerful group insisting that we discard DMARC v1 and turn it into DMARC v2. This discussion has reviewed the success of DMARC v1, how it has limited a whole category of attacks and has helped with law enforcement takedowns. But now John Levine wants me to prove that From alignment is important to "most of us", a term I used to include myself in the group that has benefited from DMARC v1. Apparently historical results are not relevant. The supporters of DMARC v2 can certainly navigate the IETF process, but I cannot imagine that Google and Paypal, who created DMARC v1, will jump on your bandwagon. Nor can I imagine the US Government, which is requiring DMARC v1 rollout now, will jump on the v2 bandwagon based on the evidence presented in this discussion so far. I live with the knowledge that every day my mail stream is allowing through unwanted and potentially hostile content because the email filtering problem is so difficult. I know that only one hostile message needs to penetrate to trigger an attack that destroys my organization. It galls me that some of that criminal content comes from a billion-dollar U.S. company, which acts as facilitator for the crooks. "From" is the one identity in those messages that allows me to filter the utility company mail from the bank fraud email. So, yes, FROM is very important to me. I have pointed out that the mailing list problem can be largely solved with user-specific delivery options in the MLM, but that has so far been ignored. However, to support any transition to DMARC v2, MLMs will need user-specific delivery options to distinguish those recipients that support the new design from those who do not. So MLM readiness is not a small issue. DF
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
