On Fri, Oct 23, 2020 at 3:26 PM Demi M. Obenour <demioben...@gmail.com> wrote:
> >> "p=quarantine" might be a better choice, but I do consider lack of > >> DMARC to be a security hole. I certainly don't want someone to be > >> able to forge mail that claims to be from me. There are all sorts of > >> nasty social engineering attacks someone could do with that ability, > >> many of which have real-world consequences. Mailing lists are the most important reason why DMARC is not terribly meaningful as a trust indicator for email from gmail.com. Anyone can claim an account that looks uncannily similar to an existing account, and would fool most users unless they are particularly attentive to minute details. I've heard reports that Paypal's transactional email benefits from DMARC and that phishing is less frequent as a result. Though I'm somewhat surprised this is effective, I'm willing to believe it is actually true (the fishers must just not care enough to make a convincing pitch from a different domain). But for the consumer email providers, attestation that the email was really from Gmail is not a very strong indicator that the message is legitimate. -- Not the same Demi M. Obenour.