Douglas Otis wrote:
It remains conjecture an authorization scheme provides a measurable
reduction in the success rate. As bad actor are able to authorize their
own messages in various forms, an authorization scheme may increase the
success rate of phishing attempts. Recipients are not protected by such
a highly flawed scheme.
I don't understand why you make it so difficult.
If I say "all may mail is signed" and that expectation is defined based
on a standard SSP protocol established, then a RECEIVER and the original
DOMAIN owner should be as happy as a pig in mud when fraudulent MAIL is
arriving without signatures.
The first thing that we will be getting rid of is the legacy malicious
exploiters of domains who are not going to following anything or would
care for anyway.
But sure, bad actors can participate in the DKIM/SSP process and in my
view, that is great if we can get them to ADAPT in a positive way - our
That is where the additional layers come into play, such as REPUTATION
if that is what the receiver wants to use to further give credence to a
The goal is to eliminate the obvious and that obvious comes in detecting
the invalid conditions and if a DOMAIN exposes a policy implying invalid
conditions were not expected, then all the receiver needs to junk or do
something with that message and the receiver and original domain would
be protected. We don't need an MUA to get an involved.
I don't see whats so hard to understand about this.
NOTE WELL: This list operates according to