On Thu, Aug 20, 2020 at 1:59 AM Alessandro Vesely <ves...@tana.it> wrote:
> I am wondering whether companies like Dmarcian could implement third-pary > whitelisting. As they receive and analyze DMARC aggregate reports on > behalf of many mail sites, they probably are able to distinguish various > level of authentication failures, from mailing lists to misaligned ESPs, to > actual abusers. In that case, they could maintain a whitelist tailored for > any given client. The client would set, say: > > _dmarc.client.domain.example IN TXT "v=DMARC1; rua=mailto: > client...@ag.dmarcian.com; snd=client-id.rhswl.dmarcian.com; [...]" > [...] > Having spent a lot of time and energy building a DKIM-based reputation system that (IMHO) showed promise, I made it available for people to try for free. There was no uptake, even after presenting its promising results in places like M3AAWG. Times may have changed, but in retrospect I think there are too many "what-ifs" for add-ons of this nature to be seen as feasible. The issues seem to be: - it has no hope of being universally accurate; participants have to accept that false positives and false negatives will happen - if it's perceived as effective, demand for this will skyrocket; the host needs to be resilient to this - participants have to trust the company providing the service to do so reliably and honestly (e.g., no paying to be listed or get a reputation boost) - depending on failure modes, the host could become a DoS target; they need to be resilient to this - the "lag" to which you refer might be unacceptable in some situations; participants need to be willing to tolerate this - there will be demands for accuracy and timely responses; interfering with someone's mail flow for whatever reason can draw unwanted legal attention (e.g., MAPS) I imagine large operators already have enough information to know where the lists are, so for them this might be moot. It's smaller operators without the infrastructure to make such determinations in real time that need to collaborate on something like this. -MSK
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
