We will always have partial participation and incorrect participation, and always will. 100% authentication depends on the receiver finding ways to classify messages as credibly identified.
DMARC is one technique. DMARC best guess was disparaged by this group but it has been seen in the wild so I am not the only one who sees its value. Delegated authentication is a third tool which applies when the forwarder is trusted to have authenticated, which includes major ESPs, and can include a mailing list where authentication is imperfect but impersonation is unlikely. Private knowledge, acquired by looking at messages and talking to senders, is the most accurate. It is encoded in local policy as alternate authentication rules (which is different from whitelisting.) Header chain analysis of Received, ARC, and other auth records is the last frontier. When you provide authentication rules for wanted messages, possible impersonation gets smaller and smaller, where it can be reviewed, true malice confirmed and responsible entity blocked. All without blocking wanted messages But RFC7489 misleads people to focus on Fail rather than Pass, which created the mailing list problem. It also puts the evaluator at risk, partly because it ignores 90% of all malicious impersonation, and partly because it does not trace malicious messages to the responsible party. So there was a huge opportunity to ask,"What do evaluators need?", which was missed. I am opposed to the current document because it misleads in the same way as RFC7489, calcifying all that was wrong with it On Tue, Oct 8, 2024, 7:41 AM Alessandro Vesely <[email protected]> wrote: > On Tue 08/Oct/2024 13:14:23 +0200 Douglas Foster wrote: > > > > The proper use of DMARC is something that is not fully automated, and in > > its optimal from is not simple: > > > I agree it's not simple. But it could be fully automated if receivers > took > care of users subscriptions. That would require ARC signing forwarded > messages > so that receivers can verify recipients did subscribe to the signer. > > ARC is currently at a deplorable state where signers add an ARC set at > every > internal hop but don't care to tell the receivers which of their users > subscribed to which mail stream. Receivers have to learn by statistics. > > > > "DMARC provides the starting point for a learning process which, when > > combined with other tools and human effort, detects malicious actors and > > isolates potentially-malicious impersonation to a progressively smaller > > subset of all mail." > > > Yes, learning, guessing and arranging is what we have to do until a > precise > method of forwarding messages becomes global. > > > Best > Ale > -- > > > >
_______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
