On Thu 19/May/2022 14:42:13 +0200 Dave Crocker wrote:
On 5/19/2022 2:41 AM, Alessandro Vesely via mailop wrote:
On Wed 18/May/2022 03:01:49 +0200 Dave Crocker via mailop wrote:
Note that, in spite of DMARC, we still do not have per-user authentication.
The FTC report required *domain-level* authentication. They wrote:
...
They were assuming that the ISP would at least have true payment records,
that would provide useful investigative leads, in case name and address were
false.
Since a 'do not email /ME/' requires resolution down to the individual user and
this must happen as the mail is being formed or sent, the list or database
query must be down to the resolution of the individual. Domain level is not
sufficient.
They said that under the ECPA the Commission can issue a Civil Investigative
Demand to seek enough information about the individual.
For authentication only at the domain level to be sufficient, it requires that
the owner of the domain explicitly and reliably vet that all addresses in their
domain are valid and that all requests for listing, for an address in that
domain, be valid. Good luck with that.
Well, except open relays and criminal spammers, domain owners do require some
kind of identification before sending. Criminal spammers register their own
domains. The uselessness of domain-level authentication arises from the fact
that domain owners themselves, not their users, are not identifiable.
Best
Ale
--
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
