On Fri, 16 Sep 2022, Brandon Long wrote:
For thirty years we all used mailing lists that didn't mess with the
author's name or address, so you could easily reply eiher to the
authors or the list (and please don't mansplain to me what Reply-To
does.) That stopped working when AOL and Yahoo repurposed DMARC to
outsource the support costs of incoming spam due to their own security
For 30 years, we allowed mailing lists to modify messages and take partial
"ownership" of them (the mailing list gets the bounces), without
modifying who the message was "from". When digital signatures were
introduced and then linking them to the sender, it made that untenable...
but the reason we added the signature and linkage was because of bad
actors, and the number of "we always did it this way" things that
have fallen to our fight with bad actors has been quite large.
I think you're basically agreeing with me. When we came up with DKIM we
deliberately designed it so that the DKIM domain was separate from any
other identity in the message. ADSP was supposed to connect the DKIM
domain to the From: domain but did it so badly and failed in so many cases
that nobody used it. So the next round was DMARC, which handled more
situations than ADSP, and was intended for heavily forged domains like
paypal.com.
Unsurprisingly, like any retrofit, DMARC handles a lot of cases but fails
on others, with mailing lists being the most notable example. (You used
to be able to do things like forward an article from a newspaper web site
to a friend and put your own return address on it, which was useful.) The
response too often is to blame the victim and retroactively redefine
perfectly normal and legitimate activities as bad, just because the
security model du jour can't describe them.
I think we both hope that ARC turns out to be an adequate band-aid to
increase the amount of legitimate mail that DMARC can handle so that the
most painful failures work again. But I think send an article is dead
forever.
Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
