On 2/1/2021 6:33 PM, Michael Thomas wrote:
On 2/1/21 6:24 PM, Dave Crocker wrote:
DMARC has been deployed for 6 or 7 years. Where is this onerous abuse
on reporting that you feel is inevitable?
Email was around for 20 years until spam became a problem.
Perhaps you missed the difference in scale between all of the last 5-7
years versus pretty much all of that 20 years?
In other words, just to keep this simple: They not in the least
comparable. Also, cf, my previous reference to incentives.
We know how this plays out: bad guys do the least amount of work
possible until they have to react. When it becomes a barrier as
p=reject does, they take action to protect their turf. Plugging an
obvious security hole with a well known and trivial set of
authentication mechanisms to prevent forgery should be the default
posture. Anybody who is against that needs to explain in depth why it
should not be the case. Especially since it's part of DMARC now.
Mike, security related specs thumbing their nose at security is a very
peculiar stance.
Mechanical application of a high-level script, without attending to the
details that make the script actually work in a specific case, tends to
lead to counter-productive decisions. cf my earlier reference to
barriers to entry and lack of damaging effect.
And flamboyant, aggressively hostile language like 'thumbing their nose'
is not merely wrong, it is another attempt at gaslighting. cf my
earlier reference to hostile work environment.
sigh.
d/
--
Dave Crocker
[email protected]
408.329.0791
Volunteer, Silicon Valley Chapter
American Red Cross
[email protected]
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
