[dmarc-discuss] MLM and Header-From rewritting - the SMTPopen-relay analogy

J. Gomez jgomez at seryrich.com
Mon Jun 9 12:39:46 PDT 2014

On Sunday, June 08, 2014 7:22 AM [GMT+1=CET], David Woodhouse via dmarc-discuss wrote:

> On Sat, 2014-06-07 at 16:42 -0400, Larry Finch via dmarc-discuss
> wrote: 
> > 
> > DMARC really sounded good when it was first defined and spec’d. And
> > it DOES prevent spoofing a Yahoo or AOL address, but does nothing to
> > prevent spoofing a Yahoo or AOL user, (or Chase, Wells-Fargo, Bank
> > of America, etc) as my inbox has proven over the past few days.
> For the banks, there's a much simpler solution anyway. Banks should be
> S/MIME-signing all their customer-facing outbound mail, and a customer
> should know with 100% certainty that if they get a mail which isn't
> S/MIME signed with the bank's certificate, it's a fake.
> Any bank *not* signing its direct-to-customer email should be
> prosecuted as an accessory to fraud which it is enabling by actively
> training its customers to succumb to phishing :)

Nice. And how is the bank supposed to get hold of all of his clients' public keys in order to S/MIME sign all the mail said bank sends to all his clients. Do you think that is doable, when many people do have an email address, but have not the faintest idea of what a public key is at all?

Hmm, I think I am missing something here, as I don't see how what you propose is doable at all, not even for banks with full staffed IT teams.


More information about the dmarc-discuss mailing list