On Mon, Jul 20, 2020 at 5:44 AM Benny Lyne Amorsen <benny+use...@amorsen.dk> wrote:
> "Douglas E. Foster" <fost...@bayviewphysicians.com> writes: > > > Ultimately, this becomes a question of power. Do domain owners have > > the right, with the help of their correspondents, to prohibit spoofing > > (unauthorized use) of their digital identity? > > Domain owners are free to use the court system to assert trademark > rights and copyright. They are also free to apply whichever seals of > digital identity that they want, of course. > > > Or since they are technically leaseholders, not owners, are their > > rights conditional? > > You seem to be laboring under the impression that domain owners have a > right to compel mail recipients to respect a DRM scheme. This is not the > case. You can try to sue Google to force them to reject incoming email > with your domain in the From: field and no valid DKIM (or whatever) > signature, of course, but I have a hard time imagining which right you > would assert to make the suit successful. > > DMARC clearly recognizes and documents local policy. > > Specificslly, do Internet insiders have the right to declare their > > spoofing control efforts to be based on foolish premises, both > > unnecessary and inconvenient, and therefore not allowed? > > No one, certainly not "Internet insiders" of which I am certainly not > one, is stopping you from doing whichever spoofing control efforts you > want on your systems. > One might point to the fact that DMARC was just such an effort before it was publicly published. While there was much criticism of this when it was submitted to the IETF - "You just want us to rubber stamp this" - there was no such intent. It had worked well within the group of senders and receivers implementing it through private peering that the effort was made so that any domain of any size, both senders and receivers, could implement it if so desired. I think the adoption rate in the wild speaks for itself (volume of mail covered by DMARC). > > Feel free to keep p=reject on your domains. Many mail servers will keep > using that as a signal among many others, rather than as a blanket > reject. > > If you want recipient mail servers to change that policy you can either > do it by convincing their administrators or by getting a law passed. So > far you appear to favour the latter approach, with your focus on > "prohibit" "unauthorized use" and "rights". The IETF is not a lawmaking > body, so it appears there are better venues for you. > You have left out one significant way of convincing receiver domains and their admins. We used to have our CSRs (customer service) tell people who received spoof emails (resulting in phishing, malware compromise, etc.) from emails claiming to be from our domains that they should contact their mail provider or email admin because the problem could have been avoided if DMARC were being checked. We would even provide them with the details and a form with all the information in non-technical terms. It is amazing how quickly a provider pays attention when their customers/users are complaining to them that the provider could have prevented the heartache and grief but chose not to. Again, this was for domains sending transactional mail with only a limited number (intentionally) of role and support accounts. While IETF is not a lawmaking body, it has an impact on the decisions of lawmaking bodies just as the decisions of lawmaking bodies can impact the implementation of standards. One need only look at the "great firewall of China" as one example. Michael Hammer
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
