[dmarc-discuss] whitelisting, was DMARC thwarted already?

John Levine johnl at taugh.com
Fri Jun 6 09:29:44 PDT 2014


>Yes, it is difficult and I think it's one of the biggest barriers to getting a common
>solution for trusted senders. I don't think that your solution of authentication-only is
>enough, as I explain below.

It doesn't have to be one list.  Many of the prime phish targets are
in regulated industries, so there already lists of who the real
entities are.  A list of domains of actual banks, published by a
regulator like the FDIC or a trade association like the ABA, would be
a good start.

I suggested about a decade ago to a guy from the FDIC that they should
set up a CA and sign the certs of the banks they insure.  Good idea,
he said, and nothing came of it.



More information about the dmarc-discuss mailing list