Re: [ietf-smtp] Email explained from first principles

John Levine writes:

> Mailing lists have been editing messages for 40 years, long before anyone
> ever thought of DKIM or DMARC.   It is a well known DMARC failure that it  
> doesn't work with mailing lists.
s/that it doesn't work with mailing lists//.

I'm struggling to identify some tangible value-added that DKIM/DMARC brings  
to the table.
Ostensibly, these signatures prove that the mail really comes from the  
domain it purported to come from.
Ok, that's cool, but what is the point?

I'm told that this is to block spam that forges others domains.

Splendid, but I can't help but notice that spam that makes it past my spam  
filters features a shiny signature more often than not.
Here's a small sample from today's batch. I've masked the domain to avoid  
triggering someone's OCD's spam filter:
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=[spam domain]
               [blah blah blah]
From: "Mail-Admin courier-mta.com" <mailer-daemon@[spam domain]>
To: mrsam(_at_)courier-mta(_dot_)com

And here's one more:

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=[spam domain]
       [blah blah blah]
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=[spam domain];
       [two for the price of one] 
Subject: Strange Liver-Hormone Helps You Burn Fat 20 Hoursa Day
It seems very obvious to me that DKIM/DMARC has been a complete failure,  
even ignoring mailing list-related breakage.
They had some initial success, when they were a novelty. That changed as  
soon as their implementations gained some foothold. Spam senders figured out  
that spam filters are whitelisting signed domains. Therefore, all they have  
to do is use their own domain, sign their spam, and they's whitelisted!
Pure comedy gold.

pgpOkZSLNWDuq.pgp
Description: PGP signature

_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp