[Ietf-dkim] Re: PROPOSAL: reopen this working group and work on DKIM2

Mon, 18 Nov 2024 08:52:42 -0800 

On Sun 17/Nov/2024 11:30:09 +0100 Laura Atkins wrote:

On 16 Nov 2024, at 10:39, Alessandro Vesely <ves...@tana.it> wrote:
On 15/11/2024 20:13, Dave Crocker wrote:


You might prefer more comfortable language but I was characterizing the very 
problematic tone that I perceive permeating work in this space, in recent 
years, and am trying to highlight how that tone establishes a 
counter-productive approach to dealing with these issues.


DMARC is the only current approach toward a deterministically "clean" email 
environment, AFAIK.  I wonder if those who dispraise it have an alternative in mind or 
would just prefer a free for all.


It is a free for all. Most invoices I get through commercial services do not 
use the domain of the company sending me an invoice. Instead they use 
@paypal.com or they use @quickbooks.com.




Uh... thus far I only got that kind of stuff for already paid invoices, sent 
for notification.  I wouldn't pay an unverified invoice.




DMARC does nothing to tell me that the company sending the mail is actually the 
company sending me the invoice.

As a business person I really hate it. My accountant recently moved all of my 
accounting to a managed Quickbooks account. Uploaded my logo, my business 
information, created invoices for my business. Quickbooks *NEVER* contacted me 
to see if this was legit. Never.

Now, it was, so it was fine. But it does suggest that anyone can create a 
Quickbooks account to impersonate my company. Because Quickbooks sends from 
their own domain, it’s all DMARC passing mail.



Right, but that is bad company policy, not DMARC fault.  The messages were 
legit.



Another example of this aberrant view is the insistence on misusing the word 
'spoofing'.


As the antonym of "legit"?


Right. So an invoice from my company coming from @paypal.com or @quickbooks.com 
is also spoofed, right?




What I'm seeing is spoofing the display-name, while the actual From: address 
remains real.  I wonder how much of such habit is due to DMARC.  Without 
authentication, spoofers could as well fake the real address, no?


Is that helpful to the mail system?


Best
Ale
--





_______________________________________________
Ietf-dkim mailing list -- ietf-dkim@ietf.org
To unsubscribe send an email to ietf-dkim-le...@ietf.org























					Reply via email to