On Oct 30, 2014, at 3:00 PM, Brandon Long <bl...@google.com> wrote: > On Wed, Oct 29, 2014 at 9:03 PM, Stephen J. Turnbull <step...@xemacs.org> > wrote: > Hector Santos writes: > > > The solution [to the third-party problem] is to make the AUTHORIZED > > ASSOCIATION between the ADID and SDID. > > This is a *first* party solution, and I have seen no evidence that > Yahoo! and AOL are going to buy in to TPA-labels-style authorized > associations. In fact, I am pretty sure that AOL *will refuse*, > because over the past few years they have been chasing out and then > firing exactly the staff who would be responsible for authorizing the > associations. > > I'm not happy with the idea because I have >400M users, and I'm not even sure > how I would validate any given service to gain enough trust to allow it to > send for any one of those users. And there are always going to be some > services that we haven't seen before or won't make the trust bar (you're > running a mailing list on your linux virtual server for your N friends? > That's nice, not going to meet the bar or the bar is useless). > > Speaking for an enterprise use case, we have relaying, expanding SPF or > passing out a specific dkim key to handle those senders, but at the very > least, a business domain is at least a restricted set of users with likely a > similar trust domain and policies and such. > > And now I'm not sure if I'm responding to a thread that was officially closed > by the wg or not, so my apologies if that's the case.
Dear Brandon, As the DMARC introduction states, it determines authorized identifiers. The draft unfortunately also muddles authorization with authentication. We have been seeing an increasing level of spoofing that leverages weaknesses in SPF and even DKIM. Preventing authorized messages from being placed into spam folders must not be seen as claiming to have "authenticated" a message's originating domain. Neither DKIM nor SPF really does this. It is misleading to oversell the function of DMARC, SPF, and DKIM. In addition, having a growing amount of legitimate email placed into spam folders also carries comparable risks as this too lowers the bar in what a user is more likely to open. A DMARC domain can determine legitimate third-party services by comparing outbound message domains against their DMARC feedback. Offering receivers domain specific third-party feedback will increase protections (raising the bar) as well as allowing DMARC restrictive policies to be applied in more environments. The DMARC domain could even proactively vet these domains. Why give a malicious domain grist for their phishing mill? Regards, Douglas Otis _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
