[dmarc-discuss] MLM and Header-From rewritting - the SMTPopen-relay analogy

Murray S. Kucherawy superuser at gmail.com
Mon Jun 9 10:18:46 PDT 2014


On Sat, Jun 7, 2014 at 10:22 PM, David Woodhouse via dmarc-discuss <
dmarc-discuss at dmarc.org> wrote:

> > DMARC really sounded good when it was first defined and spec’d. And it
> > DOES prevent spoofing a Yahoo or AOL address, but does nothing to
> > prevent spoofing a Yahoo or AOL user, (or Chase, Wells-Fargo, Bank of
> > America, etc) as my inbox has proven over the past few days.
>
> For the banks, there's a much simpler solution anyway. Banks should be
> S/MIME-signing all their customer-facing outbound mail, and a customer
> should know with 100% certainty that if they get a mail which isn't
> S/MIME signed with the bank's certificate, it's a fake.
> [...]
>

This is almost always suggested as an alternative solution to these
problems.  How come it never actually happens?

My understanding is that (a) it's too hard for users to understand how to
set it up and how to respond when problems occur, and (b) this isn't
improving even though we come back to it time and time again, so (c)
instead we continue to try to improve upon the invisible parts of the
messaging infrastructure to provide that protection.

-MSK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://dmarc.org/pipermail/dmarc-discuss/attachments/20140609/6dee9841/attachment-0001.html>


More information about the dmarc-discuss mailing list