On Sun 16/Aug/2020 17:31:47 +0200 Dave Crocker wrote:
On 8/16/2020 1:23 AM, Alessandro Vesely wrote:
On Sat 15/Aug/2020 20:12:18 +0200 Dave Crocker wrote:
On 8/15/2020 3:32 AM, Alessandro Vesely wrote:
If X pretends to be Y,
If I put my gmail address into the from field, there is no
pretending, no matter what platform I am using.
That conflicts with the coarse-grained authentication strategy,
established at the FTC Email Authentication Summit in November
2004, as Doug^W Michael recalled. >
1. I was making a semantic point, not a technical or technical policy
one.
They have to match at some point.
2. There was nothing 'established' at that event. There were
interesting discussions, but that's all.
I wasn't there. Can't it be considered the historic event that marked
domain-level authentication as the promising strategy to counter email
abuse?
3. I'm not finding the reference in any of Doug^X Michael's notes
that your are relying on. Please be specific about it.
https://mailarchive.ietf.org/arch/msg/dmarc/-pX7yWlSk39ShOjAzWMxhxlKh1E
Your gmail address needs to be authenticated by gmail.
Good grief, no. There is no system rule to that effect. DMARC
created that, but no policy before it was in place, never mind accepted.
DMARC took that strategy to the extremes. A number of users and
operators seem to have accepted it. Why cannot we accept it too?
Sending From: bbiw.net, SPF-authenticated as dcrocker.net, and
whitelisted as yet another domain (songbird.com) can hardly be
verified. There is no "pretending", since it's you, but it is not
formally distinguishable from spoof, is it?
Whether valid and invalid uses can be distinguished does not alter the
fact that valid uses are valid.
The problem is to find the technical means that allow receivers and
recipients to verify such validity.
This continuing practice of characterizing valid use as if it were
spoofing or pretending has been a major impediment to constructive
discussion in the industry.
A system that is able to recognize all your domains and affiliations
in order to authenticate messages does cost several orders of
magnitude more than a simple "mechanical" verifier. That way,
requiring too much flexibility is a push toward oligopoly.
I have no idea what you are referring it.
Gmail has a visual perspective that allows them to know each and every
email domain worldwide, and employs a number of people who help
continuously upgrading domain reputation. In order to enjoy such
technology, medium-small domains can get a G Suite account. That's
oligopoly. If the technology were simpler and clearer, running one's
own mail server could be a valid alternative.
Best
Ale
--
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
