On Fri, Apr 14, 2023 at 6:47 PM Douglas Foster < dougfoster.emailstanda...@gmail.com> wrote:
> Unless a mailing list has controls in place to ensure that EVERY post > comes from the asserted participant, it is the height of hypocrisy to ask > an evaluator to assume that the post is from the asserted participant. > IETF cannot do even the easiest part of that task, so I have no reason to > expect better elsewhere. > Nobody is asking the evaluator to assume anything. That's what email authentication is about; it shouldn't assume anything, and you only really know something when you get a "pass". Reacting harshly to a "fail" when there are so many legitimate ways the current authentication schemes can fail is folly. But people are looking for silver bullets, so here we are. A world free of fraudulent email is a laudable goal, of course. But since DMARC can only actually affect direct domain attacks, and makes no discernible attempt to mitigate cousin domain or display name attacks to which attackers can trivially switch, I think I'd like to see some proof that it staves off enough of the darkness to be worth this level of defense. -MSK, participating
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc