Re: [dmarc-ietf] third party authorization, not, was non-mailing list

Dotzero <> Fri, 14 August 2020 14:12 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 049C33A113D for <>; Fri, 14 Aug 2020 07:12:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZwVW3kGro-Ba for <>; Fri, 14 Aug 2020 07:12:55 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::335]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0B7363A112F for <>; Fri, 14 Aug 2020 07:12:55 -0700 (PDT)
Received: by with SMTP id c80so7601792wme.0 for <>; Fri, 14 Aug 2020 07:12:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6Np4fGOEIZPyvPbSGTuYQq6bHVx7rEnm9sxxCrg1ouc=; b=IkX8HozQ/EOJt6PnmU52EG/SKPPFkp1pVbCQJBLhsjBG3aF1KYxUH0rY90dYUbl61v dDVttQtxw93844ZxZC5wrNH7ydfFsiQWiViiFE93tX1QoUnYaNcQFcvhpAqY0kfluUdL wt7Hbbr9IY+Xxeo5IRbvHFo0i3dBRGfiT5Ej4wWFfFapIqVlqTtM+fBUJm0PPeEpcp13 ex7s1cguE0Zk/D48Wxkw5WuJZxPM00z29195fJXtNLJej/Ej0QlLTmMcSrGftfl07kQE wjP2c8M8J0JNmVwG4kDzByI1ZZh2y+Eyp/YPwsDRqmKTeoOud3kYOHkYvQmH1j7731yq 3IIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6Np4fGOEIZPyvPbSGTuYQq6bHVx7rEnm9sxxCrg1ouc=; b=I0ASDdFvdNaIQd0TVaACMBbn94MsDQtgZu5VUqiSe36zpS//nBFYNLmmn6qW4WtkdI tKHxLh5H3M7LL5gSln+rmsy/zlaZTw0hU76JjTEI5l62ehV6oeuHzRja1xb+bfz82qC8 6yVmZYOgEtNjpOtszm6+nirEkg2g1/elLWrx/FP+6syXUIcwfq8HHimltYMx8jE/fZCo 5mb+RzqJ0ilP4m0XuL/K6EG7R4UtbsR32V7Iyyk8W8VJOjxF3aA4IQF5zwGHzPkH6TVa jolo5q/3ei550juAQmQjoXkexXjxuJwB8WtjJAPvRL8mRfrx/K8aSthHGYvjtnzBbgWK IBQg==
X-Gm-Message-State: AOAM533av7r20WptQmFQ9aInmY7VwLBeeKy0KtyOBtRJdwllX0UzI5XV en6YZZNz94+IBoNFQCYeU1gaViJ+iFL9YeyKh9bsByox
X-Google-Smtp-Source: ABdhPJyFifTkKRywqALyVTXdZxjVN/CRxBvd4478n6cv1ubk/kbizcmFd1dklI6NO6+mAgbMcY8OqcnSulpIrHiEjDA=
X-Received: by 2002:a1c:3dc3:: with SMTP id k186mr2666023wma.122.1597414373466; Fri, 14 Aug 2020 07:12:53 -0700 (PDT)
MIME-Version: 1.0
References: <20200810172411.A13681E7CD8B@ary.local> <>
In-Reply-To: <>
From: Dotzero <>
Date: Fri, 14 Aug 2020 10:12:42 -0400
Message-ID: <>
To: Alessandro Vesely <>
Content-Type: multipart/alternative; boundary="0000000000004a25ea05acd70453"
Archived-At: <>
Subject: Re: [dmarc-ietf] third party authorization, not, was non-mailing list
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 14 Aug 2020 14:12:57 -0000

On Fri, Aug 14, 2020 at 5:21 AM Alessandro Vesely <> wrote:

> On 2020-08-10 7:24 p.m., John Levine wrote:
> > In article <> you
> write:
> >> Even an external reputation system requires recipient
> >> participation.   That is why I suggested both a
> >> send3="parameters" clause to indicate sender support for
> >> third-party authorization and a verify3="parameters" clause to
> >> indicate recipient support for third-party authentication. When
> >> both are visible to the non-domain message source, that source
> >> can have confidence that the message will be handled as
> >> authorized. >
> > We have had a lot of attempts at third-party authorization schemes
> > going back at least to vouch-by-reference in 2009 and ATPS in 2012,
> > and the Spamhaus Whitelist in 2010.  Every single one of them failed,
> > not due to technical problems, but because nobody was interested.
> We can either try and understand what was wrong in those schemes, or
> abandon authorization schemes forever.
> Some schemes, e.g. SPF's include mechanism, seem to enjoy a decent
> success.
> PGP, GPG, and even personal CA certificates never became really
> popular, so we could have concluded that digital signature aren't
> worth considering for anti-spoof protocols.  Yet, someone thought
> about DKIM...

There is a little bit of history behind the impetus for SPF and DKIM. In
2003 and 2004 the FTC (U.S. Federal Trade Commission) held workshops on
Email Authentication and SPAM. It also let it be known that if the private
sector didn't come up with solutions it was willing to move forward with
regulation. This helped drive activity for SPF, the merger of DK and IIM
to create DKIM and Microsoft's push for SenderID. Private sector folks did
not want to risk what government regulation might look like. At that time
there were also folks pushing for PGP, GPG, Personal Certificate and
S/MIME as  paths forward. Even with that, it took a while for industry
efforts to gain some sense of clarity. Notice that the general path forward
was basically domain based and not individual user/client based. There was
a debate within the DKIM effort regarding i= vs d= to the extent that at
one industry event people were walking around with little stickers on their
badges to indicate which they supported. I believe that was courtesy of
Dave Crocker.

Michael Hammer