[dmarc-discuss] whitelisting, was DMARC thwarted already?
johnl at taugh.com
Fri Jun 6 09:29:44 PDT 2014
>Yes, it is difficult and I think it's one of the biggest barriers to getting a common
>solution for trusted senders. I don't think that your solution of authentication-only is
>enough, as I explain below.
It doesn't have to be one list. Many of the prime phish targets are
in regulated industries, so there already lists of who the real
entities are. A list of domains of actual banks, published by a
regulator like the FDIC or a trade association like the ABA, would be
a good start.
I suggested about a decade ago to a guy from the FDIC that they should
set up a CA and sign the certs of the banks they insure. Good idea,
he said, and nothing came of it.
More information about the dmarc-discuss