ietf-smtp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-smtp] Email explained from first principles

2021-05-27 12:15:40
from [Kaspar Etter] [Permanent Link] 
On 27 May 2021, at 18:23, John R Levine <johnl(_at_)taugh(_dot_)com> wrote:

We've spent a decade with people insisting that the entire e-mail world has 
to change the way it works to conform to the lastest FUSSP. 


Why is domain authentication framed as a spam prevention technique? Any 
messaging service which is popular, open, and free will have spam. Spam is a 
problem of quantity: You just have to bring down the amount of unsolicited 
messages to a bearable level, be it with domain or IP reputation, 
challenge-response mechanisms, or proof of work. Phishing, on the other hand, 
is a problem of quality: A single successful attack can do immense harm. It’s 
not just large organizations which are being impersonated. A popular scam is to 
impersonate the victim themself, claiming that their account has been 
compromised and blackmailing them into paying a ransom.

Just because some people will always fall for scams doesn’t mean that we 
shouldn’t try to reduce the number of victims. Otherwise, cars wouldn’t need 
safety measures because some people will always die in car accidents. Priming 
plays a huge role in human psychology and there’s a lot that mail clients could 
do in this regard: Separate messages from unknown senders, don’t display the 
display name of unknown senders, warn users when they click on links from 
unknown senders, warn users if a previously authenticated sender could not be 
authenticated, etc.


They understand that DMARC's limitations cause a lot of gratuitous pain for 
their users who've been using mailing lists for a long time.  


I fully understand this pain and respect the motivation behind ARC, but you 
cannot have (strict) domain authentication and message rewriting. I want the 
former and don’t care about the latter. Maybe the solution will be that people 
use two different addresses: One with domain authentication enabled for direct 
conversations and one without domain authentication for mailing lists.
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [ietf-smtp] ietf-smtp(_at_)ietf(_dot_)org Description, Дилян Палаузов
Next by Date:  Re: [ietf-smtp] Email explained from first principles, John R Levine
Previous by Thread:  Re: [ietf-smtp] Email explained from first principles, John R Levine
Next by Thread:  Re: [ietf-smtp] Email explained from first principles, John R Levine
Indexes:  [Date] [Thread] [Top] [All Lists]