On Fri 11/Oct/2024 04:03:32 +0200 Douglas Foster wrote:
We will always have partial participation and incorrect participation, and
always will. 100% authentication depends on the receiver finding ways to
classify messages as credibly identified.
For example, consider source routing in email addresses, defined by RFC 821.
Nowadays, rfc5321bis still dedicates an appendix to that concept, but in
practice it has faded away for good. Modern software can safely ignore it.
Likewise, if we devise a precise method of forwarding, such that recipients
trust ARC after verifying subscriptions, within a few decades the problem of
mailing lists will be forgotten.
But RFC7489 misleads people to focus on Fail rather than Pass, which
created the mailing list problem. It also puts the evaluator at risk,
partly because it ignores 90% of all malicious impersonation, and partly
because it does not trace malicious messages to the responsible party.
So there was a huge opportunity to ask,"What do evaluators need?", which
was missed.
I am opposed to the current document because it misleads in the same way
as RFC7489, calcifying all that was wrong with it
The current document states the actual limits of DMARC very clearly.
The "opportunities" of best guess, alternative authentication rules, learning
patterns and combining results are a sort of mumbo jumbo that is not worth
standardizing, albeit they can be useful in the absence of precise methods.
DMARC doesn't solve the problem. However, it paves the way for future
refinements that provide for checking reliability without making guesses. To
such extent, it deserves support.
Best
Ale
--
_______________________________________________
dmarc mailing list -- [email protected]
To unsubscribe send an email to [email protected]
