On Sat, Jun 7, 2014 at 10:22 PM, David Woodhouse via dmarc-discuss < [email protected]> wrote:
> > DMARC really sounded good when it was first defined and spec’d. And it > > DOES prevent spoofing a Yahoo or AOL address, but does nothing to > > prevent spoofing a Yahoo or AOL user, (or Chase, Wells-Fargo, Bank of > > America, etc) as my inbox has proven over the past few days. > > For the banks, there's a much simpler solution anyway. Banks should be > S/MIME-signing all their customer-facing outbound mail, and a customer > should know with 100% certainty that if they get a mail which isn't > S/MIME signed with the bank's certificate, it's a fake. > [...] > This is almost always suggested as an alternative solution to these problems. How come it never actually happens? My understanding is that (a) it's too hard for users to understand how to set it up and how to respond when problems occur, and (b) this isn't improving even though we come back to it time and time again, so (c) instead we continue to try to improve upon the invisible parts of the messaging infrastructure to provide that protection. -MSK
_______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
