Dave Crocker writes: > The premise of your proposal is that users will notice that there's > extra information, know what to do with it, and do the right thing, > with reasonable consistency.
Yes, yes, yes, and yes. > Each of those conditionals will not actually be satisfied. User's > tend not to notice such things. The tend not to understand what > they mean. Even when they understand, they tend to evaluate > choices poorly. They tend to apply choices inconsistently. Yes, yes, yes, and yes (all modulo "are we letting 'perfect' be the enemy of 'better'?" -- you have a *really* dim view of the average users' capabilities!) > Everything gets much easier if we specify guidance for filtering > engines, before humans come into the picture. But now you are assuming filters that are very close to 100% accurate! Do you really think we can get there? I don't, because we already see Yahoo! Groups arranging that *humans* can see yahoo.com mailboxes in From: even though DKIM can't! If that isn't going to provide an opportunity for phishers and spammers, why are we doing DMARC in the first place? Similarly, several posters have already objected that DKIM-delegate is subject to replay attacks. I personally think DKIM-delegate is more likely to get adopted than (say) TPA-labels, and even if both succeed, DKIM-delegate is likely to be adopted and implemented more quickly because it's much simpler. Anyway, I'm assuming we've done the best we can at filtering at the "missing link" stage. In the scenarios I'm talking about, the message has already gotten through the filtering engines. Maybe it's in quarantine, and maybe nobody except me even looks in spam folders. But what if they do? I conclude that we should consider trying to enlist the MUA devs for "defense in depth." _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
