On Jun 19, 2014, at 11:45 AM, Murray S. Kucherawy <[email protected]> wrote:
> On Thu, Jun 19, 2014 at 11:15 AM, Hector Santos <[email protected]> wrote: > While DKIM-BASE tried to clean up this separation of the author domain > policy, it could not because of all the past existing ADSP or SSP references > in the many DKIM related RFCs, see RFC6376, section 1.1. But conceptually, > it didn't matter what you called it. It was an author domain signing policy > protocol and today, it's called DMARC. DKIM has no payoff with just base > signing analysis . It was separated but with all the intentions of sticking > secondary author policy and signer trust layers on it before a payoff was > realized. > > There are reputation systems -- I built one, and I know others exist -- that > use DKIM as the identifier on which reputation is built, and they've been > effective in experimental environments at identifying what's good and what's > outside of "good". > > The difference here is between active and passive determination of what's > good and what's not good. If you want active, I agree that DKIM by itself > isn't enough. But I disagree, with evidence, that DKIM "has no payoff with > just base signing analysis". > > If that's not convincing enough, consider that IP reputation has been largely > successful, and the input to such systems is a verified identifier, which is > the same class of output DKIM provides. Dear Murray, Our company has had extensive experience dealing with email spoofing. While reputation is able to deal with bulk spamming, it is ineffective at dealing with a phishing problem, the intent behind DMARC. It is a basic information issue. Those offering a reputation for a domain have no way to judge which of their identifiers are being spoofed for messages handled by third-parties. Only the spoofed domain can be considered authoritative. To suggest otherwise implies the sharing of PII, which is not acceptable in many regions. Regards, Douglas Otis
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
