On Mon, Sep 19, 2022 at 11:44 AM Slavko via mailop <[email protected]> wrote:
> Dňa 19. septembra 2022 15:38:35 UTC používateľ Dave Crocker via mailop < > [email protected]> napísal: > > > >On 9/17/2022 8:12 AM, Jim Popovitch via mailop wrote: > >> and DMARC was to fix what DKIM broke, > >> and DKIM was to fix what SPF broke, and SPF was to fix (what was SPF > >> suppose to fix, oh yeah... provider greed and irresponsibility). > > > >DKIM didn't break anything. It has limitations, as do all technologies. > > I agree. Problem with DKIM is not DKIM itself, but its misuse. We all here > meet the interpretation of broken DKIM signature as sign of something > bad, which is against RFC (hi rspamd's DKIM reputation). > > Even SPF doesn't break things, it only make visible another (often used) > problem -- that forwarding does not use own envelope sender. And IMO > it doesn't matter that RFC doesn't prohibite it, nor that there can be > problem > to decide what to use as sender, it was bad from start (or at least from > time when Internet connection becomes reliable enough years ago). > > The main problem is DMARC. While great idea, which can solve a lot > of fake mails, it is good (its strict policy) only for domains, which > haven't appear in indirect flow at all, eg. banks, B2B, etc. > > Anyone can do research by self. How many ESP's (or other email) > providers suggest to use p=none only as start point and then to switch > to strict policy for all? I remember only one article, which suggest for > most domains to stay on none policy, if there is not good enough > reason to use something more strict. > > Even its RFC is really poor about the p=none and/or missing DMARC > record at all. That is IMO meaningful too. And i will not repeat, that > use of SPF/DKIM for DMARC itself is its misuse. > > Another (IMO biggest) problem of all of them is, who have to decide > about them. Eg. How can users to interpret "quarantined" DMARC > messages? How many MUAs provides some UI for that? And even > when MUAs will provide it, how users will be able to identify why > something fails? Especially when most of them know near nothing > about cryptography, mail flows, even nor about DNS. (as previous > thread shows, many of them even are not able to check his Spam > folder.) If users will be not able (and they will not) to distinguish > legitime mail from fake one, whole quarantine policy is pointless. > I think many people here will point out that user interface changes will have little effect on how customers interact with spam/phishing. At best, these interfaces are useful to already expert users looking for breadcrumbs or what to do administratively. In the end, the quarantine policy is a hint to the mailbox provider as to how to disposition that message, whether it's an admin level quarantine, or just dropping the message in the spam folder/label, or adding a warning to users, or even ignoring it. Surfacing the fact that dmarc failed is only going to change user behavior on the margins, but placing the message in the spam folder or making all links in the message non-clickable will have a lot more impact on user behavior than trying to explain to the user why with technical jargon. Brandon
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
