On Sun, Aug 16, 2020 at 2:03 PM Alessandro Vesely <ves...@tana.it> wrote:
> > >> That conflicts with the coarse-grained authentication strategy, > >> established at the FTC Email Authentication Summit in November > >> 2004, as Doug^W Michael recalled. > > > There was no such strategy established regardless of what one person remembers. > > > > > 2. There was nothing 'established' at that event. There were > > interesting discussions, but that's all. > Agreed. > > > I wasn't there. Can't it be considered the historic event that marked > domain-level authentication as the promising strategy to counter email > abuse? > Nope. It was one of many things presented/disccussed. > > https://mailarchive.ietf.org/arch/msg/dmarc/-pX7yWlSk39ShOjAzWMxhxlKh1E > > > >> Your gmail address needs to be authenticated by gmail. > > > > Good grief, no. There is no system rule to that effect. DMARC > > created that, but no policy before it was in place, never mind accepted. > Just to reiterate, DMARC, SPF and DKIM operate at the domain level granularity, not at the individual email address level granularity. > > > DMARC took that strategy to the extremes. A number of users and > operators seem to have accepted it. Why cannot we accept it too? > DMARC does one thing and one thing only, and that is to mitigate direct domain abuse. It was not intended to stop phishing, spam or anything but direct domain abuse. The issues with uses such as mailing lists were identified and noted. > > > >> Sending From: bbiw.net, SPF-authenticated as dcrocker.net, and > >> whitelisted as yet another domain (songbird.com) can hardly be > >> verified. There is no "pretending", since it's you, but it is not > >> formally distinguishable from spoof, is it? > > > > Whether valid and invalid uses can be distinguished does not alter the > > fact that valid uses are valid. > > > The problem is to find the technical means that allow receivers and > recipients to verify such validity. > > > >>> This continuing practice of characterizing valid use as if it were > >>> spoofing or pretending has been a major impediment to constructive > >>> discussion in the industry. > >> > >> A system that is able to recognize all your domains and affiliations > >> in order to authenticate messages does cost several orders of > >> magnitude more than a simple "mechanical" verifier. That way, > >> requiring too much flexibility is a push toward oligopoly. > > > > I have no idea what you are referring it. > > > Gmail has a visual perspective that allows them to know each and every > email domain worldwide, and employs a number of people who help > continuously upgrading domain reputation. In order to enjoy such > technology, medium-small domains can get a G Suite account. That's > oligopoly. If the technology were simpler and clearer, running one's > own mail server could be a valid alternative. > Setting aside DMARC, running email servers has always had a bit of complexity that is beyond the ability of the average person. I'm not sure what your point here is. Michael Hammer
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
