On Sat, 2014-06-07 at 16:42 -0400, Larry Finch via dmarc-discuss wrote: > > DMARC really sounded good when it was first defined and spec’d. And it > DOES prevent spoofing a Yahoo or AOL address, but does nothing to > prevent spoofing a Yahoo or AOL user, (or Chase, Wells-Fargo, Bank of > America, etc) as my inbox has proven over the past few days.
For the banks, there's a much simpler solution anyway. Banks should be S/MIME-signing all their customer-facing outbound mail, and a customer should know with 100% certainty that if they get a mail which isn't S/MIME signed with the bank's certificate, it's a fake. I know the X.509 certificate authorities aren't perfect, but they work tolerably for secure web sites and the users understand them as much as they are ever going understand anything security-related. Any bank *not* signing its direct-to-customer email should be prosecuted as an accessory to fraud which it is enabling by actively training its customers to succumb to phishing :) (Let's see how this S/MIME-signed mail is handled by MUAs when the From address is mangled to no longer match the owner of the cert...) -- dwmw2
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
