On Fri, 28 May 2021, John C Klensin wrote:
I am, personally, not a big fan of domain authentication. My
problems are tied, not to any particular detail but to two
operational/ political problems. The first is that any such
system is inherently dependent on the integrity, responsibility,
and accountability of domain name registrars and domain
operators.
You're missing the point. Domain authentication lets us recoginize good
actors, who have an incentive not to screw around. The more reliably we
can recognize known good senders, the more aggressively we can filter
everything else and limit the number of false positives.
I cannot say how many times I have pointed this out, only to get a reply
"but the bad guys can change their domain." Yeah, we know. When 90% of
mail is spam, recognizing good actors is a much smaller and simpler
problen than recognizing bad ones, but as far as I can tell, a lot of
people fixed their model of mail filtering in the 1990s and can't imagine
that it might be different.
Similarly, if it were true that blocking senders that leak spam would make
them behave, we would have found some evidence of that. I know a few
cases where really bad leakers who didn't send much mail that people
actually wanted were publicly bludgeoned into submission, but these days
the pressure points are not in places that are visible to people who run
tiny mail systems like you and I do.
For some reason, much of the IETF is particularly disconnected from e-mail
reality. I know IETFers who claim that DNSBLs were a fad in the 1990s and
nobody uses them any more.
R's,
John
PS:
... when was the last time you heard of a major email provider closing an
account and deleting a mailbox because it was used as the reply
address in some phishing, extortion, or other fraudulent scheme?
Every day. They don't send out press releases.
Or how often do you see a major provider require strong
authentication to establish a mailbox and then having terms and
conditions indicating that any fraudulent or illegal use of the
mailbox would result in termination of the account and handing
the user over to law enforcement?
I am guessing you haven't tried to set up an Office 365 account. I did
last year for the UASG EAI tests and let me tell you that the hoops I had
to jump through to send even one message were quite extensive. If I
hadn't brought my own domain, which meant my mail's reputation did not
borrow the reputation of MS' large public domains, they would have been a
lot worse.
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp