On 2025-06-15 15:20, Atro Tossavainen via mailop wrote:
I have asked them to uniquely identify sending accounts with some
custom header / token
>
You're asking for something that is already there.
implicit. I want explicit. and I actually would like to propose an SMTP
extension, but it is still work in progress and this is my
part-part-part-time endeavour (last time I dealt seriously with
communication protocols was in the 1990ies).
Goal: per sender encryption-hardened identity; per message
encryption-certified purpose header; automated/scalable feedback system
for ESP to discipline their senders.
In a nutshell:
recipient at EHLO stage tells sender whether this standard is mandatory,
optional, (or ignored)
recipient also indicates what kind of purpose emails are accepted.
everything else is not accepted. not sure yet how to implement it at
individual mailbox level.
sender adds three headers: (1) a token that together with a well-known
location and the sender's FQDN point to the sender's public key. (2) a
certified message purpose. (3) a reporting URL.
ESP can already stop sender in track if the purpose is not listed as
accepted by recipient.
on recipient's end, the user sees a line asking whether the content of
the message is the declared purpose. Yes or No. If a sender sends a
"survey" and calls it "transactional" the answer is No. If the sender
sends a newsletter and the recipient is subscribed to that newsletter,
no surprise, the answer is Yes. Or the end-user ignores, which is fine
too, the UI shall be unobtrusive and not waste end-user's time.
The click on the Yes/No reports triggers the reporting URL. ESP can
automatically collect and process a sufficient quantity of feedback to
police and discipline their senders if necessary.
Of course this will only succeed if enough mailbox operators get on board.
For me personally, I can afford to be hardline and set up my SMTP server
to reject everything except what I whitelist. That is not the case for
most users. Most users will end up putting expensive (compute-cycles)
anti-abuse resources to achieve about the same result. so the question
boils down to whether the "federated world" that is email wants to be
more efficient or not.
On 2025-06-16 04:37, Atro Tossavainen via mailop wrote:
> You are right, of course. So now somebody at Mailgun knows a few
> spamtraps to delete :-D
security by obscurity has seldom been a winning proposition. A
sufficiently large block will convince even the most negligent of ESPs
to behave.
Yuv
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
