Dňa 17. septembra 2022 2:35:42 UTC používateľ Brandon Long via mailop <mailop@mailop.org> napísal:
>So, while AOL & Yahoo were the vanguard for mass consumer providers, the >problems were already being experienced by many corporate domains >before that, and even more since. That all is acceptable and i fully understand it in corporate ecosystem, but... Whole point of that SPF/DKIM/DMARC/ARC/etc miss personal emails/domains. With a little irony, if someone will wrote "happy birthday" to my mom behind me, we all will be happy -- my mom gets it, i do not need to write it, and "hacker" was able to do it. If someone want stronger auth, here is E2E for years (yes, i am aware why it is not used by most of users, please do not elaborate on it). In other words, not all emails are worth of strong protection/aurhorization and do it is only wasting of resources, and here are not (enough) clear rules for those, who do not need/want it. The RFCs mentions it, but these parts are often ignored or missed. Before this topic starts, i did thinking about rspamd's DKIM reputation rule, as I noticed very bad reputation of some domains. After little investigation i see, that most of them are domains, from which i got emails only via some ML which breaks DKIM and rspamd counts failed DKIM as bad reputation (beside bug in calculation in last version)... I can only guess, but i will not surprised when rspamd is not only one doing that... Many of us (in this ML) agreed already, that failed DKIM is mark of failed signature only, nothing more, nothing less and there are plenty (semi) legitimite reasons for this to happen. And success DKIM is the same, it doesn't signal legitimity of mail, only that it was not modified and that was signed by someone with secret key -- and any one working in computer security know, that key leaks happens (that is why regular key rotation is suggested). The same is for SPF, recently someone wrote, that one have to know his outgoing mail IPs. This seems to be obvious, until someone outsource its outgoing mail (via some kind of smarthost). And if this outsourcing has even multiple levels... Sure, one can use include (etc) rules, but then there are DNS queries limits. And most important -- anyone from these included IPs can send email from your domain which will pass SPF, thus it only limits source of scams, not prevent it. Consider, how many domains includes gmail/o365/etc IPs? Recently here was huge topic about Spam folder and that users do not check it. How are people checking these auths? AFAIK most of MUAs doesn't provide same form of UI for these checks. And even if they will provide them, how people can properly interpret these results, especially when multiple email providers/professionals will fail in this step? How many users will bother (or will able) with investigating why DKIM/SPF fails? Sure, email provider can feel OK in that, they delivered mail and it was user who misinterpreted SPF/DKIM result, but really? Really regular users know what digital signature and/or source IP proves? Yes, properly setup SPF/DKIM/DMARC in simple email flow is easy, super easy (if one know it). If mail flow is more complicated, its complexity grows. Sometime it seems (for me) as another way of vendor lock. While not obvious at first look, changing email provider is not as easy, especially when DNS is maintained by other party... I feel, that whole these SPF/DKIM/DMARC introduced more problems than they are solving (in not corporate world). All what my mom (she is 80 years old and regulary checks her Spam folder) need to know is one thing -- do not believe anything (important) in email. That is easy rule, doesn't require a lot of knowledge nor high IQ nor produces emissions (as does not consume any energy), thus is acceptable for most of nowadays Internet users, even "green" ;-) But wait, that rule is nothing new, it was "always" here ... and ignored. Thus we apply new rules and then other rules, which try to solve problems in previous rules, and then again and again, in infinite loop (AFAIK here is old XKCD about this). The only rule, which can work is -- do not allow naive/stupids to use Internet, but that is not acceptable, beacease it breaks freedom and (more important) money from those has the same value as from others and here are more stupids in world than others and it is more easy to get money from them... And bad actors? Not important, as they often have perfect SPF/DKIM and often DMARC too... (I hope that my English doesn't break what i want to point to) regards -- Slavko https://www.slavino.sk/ _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
