On Thu, Apr 24, 2014 at 11:27 AM, Terry Zink <[email protected]>wrote:
> Correct me if I am wrong, but I think that there are significant > differences between now and when ADSP was being investigated: > > 1. DKIM has much more prevalence in 2014 than it did in 2006, so requiring > it today isn't as big an obstacle. > > 2. DKIM doesn't tie the d= signature field to the 5322.From: address. So, > you can DKIM-sign all you want and add authorized third party signatures > all you want. But if the From: address is different than what was > authenticated, then the end user won't understand the difference. > > 3. DMARC is basically an anti-phishing technology, whereas while DKIM + > ADSP can do that, it doesn't do it as well. It's less intuitive to end > users. And because DMARC is better for anti-phishing, I would guess that's > why it has much better traction that ADSP ever could. Speaking for a > large(ish) email provider, DKIM is good but stopping phishing is better. > When we did ADSP (RFC 5617), the mailing list damage it could do was considered a showstopper for the vast majority of everyone participating, and advocates for "strong policy" were in the rough. I note from ADSP's author list that this included Yahoo!. The recommended practice was to split streams, so ADSP-protected mail was in one domain and user mail was in another. This is why domains like yahoo-inc.com, googlers.com, paypal-inc.com, etc. began to appear. It was still true when we revised DKIM a couple of years later, because the concerns were unchanged yet yielded no relevant changes to DKIM itself, and the working group produced RFC 6377 to document the problem in more detail rather than take another run at trying to solve it. What's changed since then appears to be that some operators now believe the collateral damage is acceptable. -MSK
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
