On Fri, May 28, 2010 at 3:34 PM, John Levine <[email protected]> wrote: >>In past discussions there had been an expressed concern that the >>number of domains/companies who send notifications and are phish >>targets is very low, but I would counter that it is not low at all. > > The question is low compared to what. There are probably thousands, > maybe tens of thousands of domains that send financial notifications, > but that's pretty low compared to the millions of domains overall.
High enough number to matter? IMHO, yes. Percentage compared to domains that don't need this kind of protection? Irrelevant, because the raw number is already at the hundreds of domains level, across my employer's client base alone. And I know I'm not alone. Way back when, it was actually you and me and a few other people talking about this at a conference, and I vaguely recall (forgive me if I am wrong) that you were thinking it was "could count on both hands the number of domains that need ADSP-style protection", i.e. the custom agreements between Ebay and Gmail scale well enough. IMHO, I personally am way beyond that level. Aren't others? At what level would folks agree that this no longer scales, and we need a sender publishable function like this, instead? I grant that this ultimately needs more receiver buy-in (or at least more than I personally observe), but these are unanswered questions that have been nagging at me. Cheers, Al _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
