First of all, I apologize for my overly flippant comment about "discarding the patchwork quilt" in the initial message of this thread. I by no means wanted to minimize the valuable hard work that many of you have done. I certainly do think that SPF, DKIM, and DMARC are all helping to make the email world better. As an email user I am personally thankful that all of these exist, and I am thankful for the contributions many of you on this list have made over the years which have made my inbox cleaner. Although I conveyed my sentiments poorly, I was simply bemoaning the historical development (as I understand it), in which SMTP, like many internet protocols, was developed at a time of rapidly emerging functionality, and to a large extent serious security and authentication concerns only started tagging along later. I suspect that most of us would agree that working with security as an after-the-fact wrapper is not an ideal development paradigm to be in. That's not anybody's "fault", it is just a historical reality which nags on some of us especially with an idealist bent. Mathematicians tend to be much more theoretical than engineers, and as a result engineers tend to get much more stuff done while the mathematicians sit around thinking in abstracts about how stuff is "supposed" to be. So thank you, engineers and others, for getting stuff done so that I can actually use actual email, rather than just pontificate about email theory which is what could happen if people like me drove the industry.
On that note, my obtuse, generic, abstract comments about false positives probably failed to drive home the point I wished to make with clarity. Again, I apologize. Let me be specific about my concerns and specific about the relevance to DMARC. In my Hotmail inbox right now are some messages from Paypal and eBay which display little green shields. When I hover over the green shield a message from Hotmail itself tells me, "This message is from a trusted sender. To help protect you from phishing scams, we double-checked that it's safe." Likewise, in my Gmail inbox right now are some message from Paypal and eBay which display little gold keys. When I hover over those gold keys a message from Gmail itself tells me, "This message has been verified as coming from the sender." Personally, I feel that the level of trust being asserted in these statements, which come from two DMARC contributors who are not-so-minor players in the email game (I'm referring to the _verifiers_ here, not the senders), are not helping to facilitate an atmosphere where users understand that email authentication is imperfect and that they retain full personal responsibility for using discernment in how they respond to any message received, even if it has passed the strictest tests currently available or implemented by the vendor. It bothers me in particular, when I get these same messages that confidently state, "This message has been verified as coming from the sender" when looking at particular messages which, in fact, I know very well did not come from the alleged sender. So, when dmarc.org/faq.html says, "The DMARC standard does not specify any visual indicators that would be displayed to the end user. However the group has identified recommendations around email client features like these as an area for future work.", I would wish to throw in my two cents suggesting that such future work on this topic consider the possibility that, before too many others choose to follow in step with Microsoft's and Google's leads as currently implemented, it might be prudent to assess the likelihood that the trust level assertions accompanying said icons are too strong. -Zach PS I realize that the Gmail gold key is still in "labs" status, and thus carries its own "experimental" disclaimer. OK, so this authentication stuff is in a developmental state of flux. Understandable. I've been there. I'm not jumping on anybody's back. But I have reported the verification issues to these two vendors (two months ago), and I'm noting it to you guys, because if somebody out in the world gets scammed by a message regarding which Microsoft and/or Google explicitly told them, "This message is from a trusted sender," I don't want to have to say that I failed to do all I could about a known potential threat. If anyone wants to say "No biggie" to this, that's your choice. I've said what I needed to say.
_______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
