On 8/16/2020 1:23 AM, Alessandro Vesely wrote:
On Sat 15/Aug/2020 20:12:18 +0200 Dave Crocker wrote:> On 8/15/2020 3:32
AM, Alessandro Vesely wrote:
If X pretends to be Y,
If I put my gmail address into the from field, there is no pretending,
no matter what platform I am using.
That conflicts with the coarse-grained authentication strategy,
established at the FTC Email Authentication Summit in November 2004, as
1. I was making a semantic point, not a technical or technical policy one.
2. There was nothing 'established' at that event. There were
interesting discussions, but that's all.
3. I'm not finding the reference in any of Doug's notes that your are
relying on. Please be specific about it.
Doug recalled. Your gmail address needs to be authenticated by gmail.
Good grief, no. There is no system rule to that effect. DMARC created
that, but no policy before it was in place, nevermind accepted.
Sending From: bbiw.net, SPF-authenticated as dcrocker.net, and
whitelisted as yet another domain (songbird.com) can hardly be
verified. There is no "pretending", since it's you, but it is not
formally distinguishable from spoof, is it?
Whether valid and invalid uses can be distinguished does not alter the
fact that valid uses are valid.
This continuing practice of characterizing valid use as if it were
spoofing or pretending has been a major impediment to constructive
discussion in the industry.
A system that is able to recognize all your domains and affiliations in
order to authenticate messages does cost several orders of magnitude
more than a simple "mechanical" verifier. That way, requiring too much
flexibility is a push toward oligopoly.
I have no idea what you are referring it.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
