John gave one example but I personally don't think that is the best way to do it.
This is no different than the issue that we at AG faced in 2007 with the Storm Botnet heavily abusing our major brands. As long as we sent mail that used someone else's domains for the From and the Mail From, we weren't in a position to participate in authentication systems and efforts. I phrase it this way because (just one example) many domains will not accept mail that claims to be from their domain if it didn't originate from their own servers. So, using americangreetings.com, the Mail From and the From on our card notifications is always [email protected]. The information about the sender is provided in the subject line and the body of the message so that the recipient knows who created the card. No enduser personalization other than name and email address is provided in the notification email so as to provide consistency in the emails. This makes it easier for mailbox providers as well as recipients to evaluate the card notification for validity. Without going into detail about our click through rates and the overall reduction in phishing/brand abuse, I will say that this works from both a business and a security perspective. I will say that many brand owners are unwilling to make changes to their infrastructure to implement this approach (vs sending as the enduser email or "on behalf of" the sender email) until their brand is abused. It really is that simple. In many (most?) cases it requires changes to back end systems and that takes resources. The other factor is that it is not perceived as a problem until after it becomes a problem. Mike > -----Original Message----- > From: McDowell, Brett [mailto:[email protected]] > Sent: Monday, May 03, 2010 11:54 AM > To: MH Michael Hammer (5304) > Cc: [email protected]; [email protected] > Subject: Re: [ietf-dkim] besides mailing lists... > > On May 3, 2010, at 11:06 AM, MH Michael Hammer (5304) wrote: > > > And it is easy enough to do "F2F" in a manner that does not break the > > authentication-based service. > > How? > > -- Brett _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
