On 2013-3-27 18:48 , David F. Skoll wrote: >> Now that we've see/talked some stats on SPF... I'd be interested to >> know what anyone might have to offer on DKIM usefulness. > > The up-and-coming thing is DMARC, which will probably enjoy good press the > way SPF and DKIM did for a few years until it too is found to be not > very useful. :) > > DMARC is intended to close two loopholes: It lets domain owners *specify* > what you should do on SPF fail or DKIM fail, and it gives domain owners > feedback about failed SPF/DKIM so a domain owner can know that he/she's > the victim of spoofing. > > DMARC falls flat because it does not in any way protect what the user > sees as the "From" field in a mail reader, so phishers can happily spoof > mail and still be DMARC-compliant.
Hey, I like DMARC. I've even implemented DMARC verification in MIMEDefang ;) (the reporting bit is a stand-alone process). It's useful, because it will deter phishers from abusing a domain (a national dutch bank saw a decrease of 71% of the number of phishing mails spoofing their domain, since enforcing DMARC). However, it's only useful for "transactional" mails: you cannot use it for domains with ordinary users on it (so: it's for banks or other institutions that send lots of automated mails that are often the targets of phishing). DMARC protects the domain in the From: header. No more, no less. Anyone can still say they're From: "[email protected]" <[email protected]>, and most users will see the address between quotes instead of the <real> address. MUA authors are beginning to wake up to this, just a few days ago I had a friendly chat with someone from an organization that probably has the largest number of installed MUAs out there. Worldwide, already about 60% of all inboxes already apply DMARC verification. Don't write it off just yet ;) The biggest problem for DMARC (and DKIM) is that is breaks on mailinglist mails. > Not widely used. Also, Yahoo, who started DK, doesn't even do its > "ADSP" extension coding correctly: ADSP is almost dead, and widely considered dangerous. Nobody in his right mind should be using it anymore. -- Jan-Pieter Cornet "Most seasonal greetings are sent by spammers and phishers."
signature.asc
Description: OpenPGP digital signature
_______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
