On 5/19/2022 2:41 AM, Alessandro Vesely via mailop wrote:
On Wed 18/May/2022 03:01:49 +0200 Dave Crocker via mailop wrote:
Note that, in spite of DMARC, we still do not have per-user
authentication.
The FTC report required *domain-level* authentication. They wrote:
...
They were assuming that the ISP would at least have true payment
records, that would provide useful investigative leads, in case name and
address were false.
Since a 'do not email /ME/' requires resolution down to the individual
user and this must happen as the mail is being formed or sent, the list
or database query must be down to the resolution of the individual.
Domain level is not sufficient.
For authentication only at the domain level to be sufficient, it
requires that the owner of the domain explicitly and reliably vet that
all addresses in their domain are valid and that all requests for
listing, for an address in that domain, be valid. Good luck with that.
Their proposed solution was an email address registry used for scrubbing
lists that legitimate business supplied in hashed form. That technique
requires users to register all the possibly deliverable
address+extension forms.
Couldn't the Do Not Email Registry also be domain-based?...
see above.
d/
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
