On 7/25/20 1:52 AM, Christian de Larrinaga via mailop wrote: > My question is is it useful?
Yes, absolutely. If it's a security-sensitive message, like one from my bank, it's useful for my mail client to show that it was really sent by (DKIM signed by) them to increase my trust in it. My bank does not sign messages in any other way, so DKIM is all I can check in terms of digital signatures. Although I'd prefer that every message I ever receive pass DKIM checks, I can (and do) simply ignore DKIM failures for messages that aren't security-sensitive. Of course, you can't blindly trust all DKIM signed mail either; when a message it shows as being signed by domain name "X", I need to then be sure that "X" is really my bank's domain name. This is where additional MUA interface elements could be added; it would be useful to know "This message came from bigbank.com, who have sent you at least one message a month for the last 12 months and are in your address book", vs. "This message came from bigbank.com.ru, who have not sent you anything before and who are not in your address book". But now we're getting back to the generic question of "is there a way that bigbank.com -- but not bigbank.com.ru -- can always show something that recipients get used to trusting?", and something like BIMI gets suggested. In some people's eyes, the fact that it costs significant money and effort for bigbank.com to make the logo be displayed, and that it's not time- or cost-effective for small operators (or phishers) to go through the process, will be seen as a feature. But the same thought was behind EV TLS certificates, and that didn't pan out. I think that's mostly because even if you show a "this is valid" message for certain entities (whether the green bar of an EV certificate or a BIMI logo), many recipients will not notice the neutral absence of that logo in a DKIM-signed phishing attempt from a similar domain name later. A system that actually works probably requires neutral feedback for known legitimate messages, and warnings for illegitimate messages, so that it surprises people when a message supposedly from their bank has a warning. -- Robert L Mathews, Tiger Technologies, http://www.tigertech.net/ _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
