Our real goal needs to be mandatory sender authentication. Any secure
email gateway must go through these steps:
Source Analysis: Filter message from unwanted sources Sender
Authentication: Filter messages that are attempting impersonation Content
Analysis: Filter messages with unwanted content
Content filtering always requires exceptions, and those exceptions are
granted based on the sender. Such exceptions are only safe and
appropriate if the sender is verifiable. If the exception is applied to
an unverified sender, it is possible for a spamming impersonator to gain
the elevated trust and reduced filtering which was only intended for the
trusted sender.
So Sender Authentication needs to become mandatory:
Senders MUST implement SPF or DKIM, and SHOULD implement both.
Although the MX list becomes a default SPF list for those who do not
publiish a policy. MTAs MUST ensure that DKIM signatures remain
verifiable. If they are unwilling or uinable to do so, they should reject
the message with a PermError. Forwarders MUST either forward with breaking
DKIM signatures, rewrite messages under their own identity, refuse the
message, or discard the message as spam. IETF MUST provide a way for
intermediate systems (both spam filters and list fowarders) to insert
content under their own signature, without breaking original signatures.
This will have implications for MUAs.
Sure it will be hard, but has this not been what you have been trying to
achieve for 15 years? SPF and DKIM provided the enabling technology, but
they were deployed as sender options.
Doug Foster
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
