On Fri, Oct 23, 2020 at 3:26 PM Demi M. Obenour <demioben...@gmail.com> wrote:

> >> "p=quarantine" might be a better choice, but I do consider lack of
> >> DMARC to be a security hole.  I certainly don't want someone to be
> >> able to forge mail that claims to be from me.  There are all sorts of
> >> nasty social engineering attacks someone could do with that ability,
> >> many of which have real-world consequences.

Mailing lists are the most important reason why DMARC is not terribly
meaningful as a trust indicator for email from gmail.com. Anyone can
claim an account that looks uncannily similar to an existing account,
and would fool most users unless they are particularly attentive to
minute details.

I've heard reports that Paypal's transactional email benefits from
DMARC and that phishing is less frequent as a result. Though I'm
somewhat surprised this is effective, I'm willing to believe it is
actually true (the fishers must just not care enough to make a
convincing pitch from a different domain).

But for the consumer email providers, attestation that the email was
really from Gmail is not a very strong indicator that the message is
legitimate.

-- 
  Not the same Demi M. Obenour.

Reply via email to