Glad to see they mention DANE, although no statistics for it's implementation footprint.
"The STARTTLS RFC [28] does not define how clients should validate presented certificates. While it suggests that the recipient’s domain (e.g., gmail.com) should be present in the certificate, it also permits checking the fully qualified domain name (FQDN) of the MX server. This removes the need for third-party mail servers (e.g., shared hosting like Google Apps for Work) to present a trusted certificate for each hosted domain. However, it also enables network-level attackers to falsely report MX records that point to an attacker-controlled domain. Without additional security add-ons (e.g., DANE [14]), this attack remains a real threat" Seeing as DNSSEC hasn't been done to many (if any) google domains, I wouldn't expect dane to be implemented yet either. " DNSSEC has not been widely deployed— recent studies have found that less than 0.6% of .com and .net domains have deployed DNSSEC [46]" ----- Original Message ----- From: "John Levine via dmarc-discuss" <[email protected]> To: [email protected] Sent: Tuesday, November 17, 2015 7:52:38 PM Subject: Re: [dmarc-discuss] Google paper on email security mentions DMARC >which do not deploy DMARC yet, on the other hand. A possible explanation >can be that the majority of these providers and organizations are too >small to afford one or more full time staff for their mail >administration. Another possibility is that since they are small, they do not have the problems that DMARC is intended to solve, so why bother? > So a draft like John's draft-levine-dkim-conditional may >fit the big ESP scene, but the vast majority of sending domains won't >have a clue on when to add the !fs signature and when not, as they >simply have no information about their users on who's on which list. As I think I've said about a dozen times, most small senders could put a conditional signature on everything, since the risk of enabling a lot of spam that way is low. R's, John _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html) _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
