On Fri, Oct 23, 2015 at 08:36:31PM +0200, Martin Rex wrote:
I do not see any increased potential for phishing
Rather the opposite -- DMARC could be abused to give users a false
sense of security and fall to the flawed assumption that it would
authenticate the EMail author (which it doesn't).
Precisely. My spamtraps observe messages all day, every day that pass
whatever validation happens to be in play -- but are clearly forgeries.
And it's a VERY rare end user who is capable of making that same
determination. Thus the warm fuzzies provided by mail clients that mark
messages as "validated" or "authenticated" or whatever term is used are
going to make these problems worse, not better.
Until the underlying security issues are fixed -- and I see absolutely
no signs that any of the 500-pound gorillas even *intend* to address
those at scale, let alone are actively engaged in doing so -- this (DMARC
and related) just wallpapers over the problem.
---rsk