On 27 May 2021, at 18:23, John R Levine <johnl(_at_)taugh(_dot_)com> wrote:
We've spent a decade with people insisting that the entire e-mail world has
to change the way it works to conform to the lastest FUSSP.
Why is domain authentication framed as a spam prevention technique? Any
messaging service which is popular, open, and free will have spam. Spam is a
problem of quantity: You just have to bring down the amount of unsolicited
messages to a bearable level, be it with domain or IP reputation,
challenge-response mechanisms, or proof of work. Phishing, on the other hand,
is a problem of quality: A single successful attack can do immense harm. It’s
not just large organizations which are being impersonated. A popular scam is to
impersonate the victim themself, claiming that their account has been
compromised and blackmailing them into paying a ransom.
Just because some people will always fall for scams doesn’t mean that we
shouldn’t try to reduce the number of victims. Otherwise, cars wouldn’t need
safety measures because some people will always die in car accidents. Priming
plays a huge role in human psychology and there’s a lot that mail clients could
do in this regard: Separate messages from unknown senders, don’t display the
display name of unknown senders, warn users when they click on links from
unknown senders, warn users if a previously authenticated sender could not be
authenticated, etc.
They understand that DMARC's limitations cause a lot of gratuitous pain for
their users who've been using mailing lists for a long time.
I fully understand this pain and respect the motivation behind ARC, but you
cannot have (strict) domain authentication and message rewriting. I want the
former and don’t care about the latter. Maybe the solution will be that people
use two different addresses: One with domain authentication enabled for direct
conversations and one without domain authentication for mailing lists.
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp