On Sat 15/Aug/2020 20:12:18 +0200 Dave Crocker wrote:> On 8/15/2020
3:32 AM, Alessandro Vesely wrote:
If X pretends to be Y,
If I put my gmail address into the from field, there is no pretending,
no matter what platform I am using.
That conflicts with the coarse-grained authentication strategy,
established at the FTC Email Authentication Summit in November 2004,
as Doug recalled. Your gmail address needs to be authenticated by
gmail. Sending From: bbiw.net, SPF-authenticated as dcrocker.net, and
whitelisted as yet another domain (songbird.com) can hardly be
verified. There is no "pretending", since it's you, but it is not
formally distinguishable from spoof, is it?
This continuing practice of characterizing valid use as if it were
spoofing or pretending has been a major impediment to constructive
discussion in the industry.
A system that is able to recognize all your domains and affiliations
in order to authenticate messages does cost several orders of
magnitude more than a simple "mechanical" verifier. That way,
requiring too much flexibility is a push toward oligopoly.
Of course, the alternative is to keep email as a casual, unreliable,
unofficial means of communication. I'm not sure the latter is
realistic, given current trends. Are we sticking our heads in the sand?
Best
Ale
--
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
