On Fri, May 28, 2010 at 3:34 PM, John Levine <johnl(_at_)iecc(_dot_)com> wrote:
In past discussions there had been an expressed concern that the
number of domains/companies who send notifications and are phish
targets is very low, but I would counter that it is not low at all.
The question is low compared to what. There are probably thousands,
maybe tens of thousands of domains that send financial notifications,
but that's pretty low compared to the millions of domains overall.
High enough number to matter? IMHO, yes.
Percentage compared to domains that don't need this kind of
protection? Irrelevant, because the raw number is already at the
hundreds of domains level, across my employer's client base alone. And
I know I'm not alone.
Way back when, it was actually you and me and a few other people
talking about this at a conference, and I vaguely recall (forgive me
if I am wrong) that you were thinking it was "could count on both
hands the number of domains that need ADSP-style protection", i.e. the
custom agreements between Ebay and Gmail scale well enough. IMHO, I
personally am way beyond that level. Aren't others? At what level
would folks agree that this no longer scales, and we need a sender
publishable function like this, instead?
I grant that this ultimately needs more receiver buy-in (or at least
more than I personally observe), but these are unanswered questions
that have been nagging at me.
Cheers,
Al
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html