On 3/16/19 6:56 AM, Douglas E. Foster wrote:
I tried to understand what IETF is doing about email security, and this working group seems to be the only surviving effort. Based on the index, the groups attention is focused on polishing the existing DMARC implementaton rather than plowing new territory. Given the devastating effect of WannaCry and the success of other email-based attacks, I think our work is far from finished.
I can understand why you think there is more work to be done about email security. However I don't know that this, DMARC, group is the best location to push for it.
I don't know what is left to do with DMARC, other than refining—or polishing as you said—needs to be done. I'm not saying that there isn't anything left to do, just that I'm ignorant of what that might be. Please share suggestions if you have any.
I also think it's somewhat unfair to imply that DMARC, and other email protection technologies, don't protect email to the desired level, *especially* when people don't /properly/ utilize said technology. I am willing to accept that said technologies may be too difficult for mass adoption.
I do believe that SPF, DKIM, and DMARC are capable of protecting email when they are used /properly/.
There a numerous other technologies that have been developed in the last 100 years that help protect against one form of problem or another. Yet these technologies, some simple to use, don't get utilized like they should. Some examples that come to mind are the seat belt in cars, HTTPS encryption on web servers, IPsec, even S/MIME encryption for email comes to mind. Sure, some of these technologies need some help initially configuring. But almost all of them are simple to use /after/ they have been configured. Yet, all of them are under utilized.
I think that this pattern says something about humans choosing to not use technology, even when a viable solution for the problem at hand exists.
DMARC / DKIM / SPF rely entirely on sender participation. Too few legitimate senders are implementing these measures in the manner that was envisioned, and too few , and too many spam filters fail to use these tools fully.
IMHO, the execution of a technology is independent of the viability of said technology. Unless it is an indication of a symptomatic problem with said technology.
DMARC represents a powerful concept which can be applied by the receiver, with adjustments, in ways that liberates the receiver from dependency on legitimate senders becoming fearless.
I am curious to learn what you are talking about.
I can articulate how that could be done, but I do not know how to start that discussion appropriately.
I don't know what the proper process is. But given how you are referencing DMARC, I'm guessing that you're not completely out of the ball park by bringing it up on this mailing list.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
