Re: [dmarc-ietf] Call for Adoption: DMARC Use of the RFC5322.Sender Header Field

[Alessandro Vesely <vesely@tana.it>]

On Sun 16/Aug/2020 17:31:47 +0200 Dave Crocker wrote:
> On 8/16/2020 1:23 AM, Alessandro Vesely wrote:
>> On Sat 15/Aug/2020 20:12:18 +0200 Dave Crocker wrote:
>>> On 8/15/2020 3:32 AM, Alessandro Vesely wrote:
>>>
>>>> If X pretends to be Y,
>>>
>>>
>>> If I put my gmail address into the from field, there is no 
>>> pretending, no matter what platform I am using.
>>
>>
>> That conflicts with the coarse-grained authentication strategy, 
>> established at the FTC Email Authentication Summit in November
>> 2004, as Doug^W Michael recalled. >
> 1. I was making a semantic point, not a technical or technical policy 
> one.


They have to match at some point.


> 2. There was nothing 'established' at that event.  There were 
> interesting discussions, but that's all.


I wasn't there.  Can't it be considered the historic event that marked 
domain-level authentication as the promising strategy to counter email 
abuse?


> 3. I'm not finding the reference in any of Doug^X Michael's notes
> that your are relying on.  Please be specific about it.


https://mailarchive.ietf.org/arch/msg/dmarc/-pX7yWlSk39ShOjAzWMxhxlKh1E


>> Your gmail address needs to be authenticated by gmail. 
> 
> Good grief, no.  There is no system rule to that effect.  DMARC 
> created that, but no policy before it was in place, never mind accepted.


DMARC took that strategy to the extremes.  A number of users and 
operators seem to have accepted it.  Why cannot we accept it too?


>> Sending From: bbiw.net, SPF-authenticated as dcrocker.net, and 
>> whitelisted as yet another domain (songbird.com) can hardly be 
>> verified.  There is no "pretending", since it's you, but it is not 
>> formally distinguishable from spoof, is it?
> 
> Whether valid and invalid uses can be distinguished does not alter the 
> fact that valid uses are valid.


The problem is to find the technical means that allow receivers and 
recipients to verify such validity.


>>> This continuing practice of characterizing valid use as if it were 
>>> spoofing or pretending has been a major impediment to constructive 
>>> discussion in the industry.
>>
>> A system that is able to recognize all your domains and affiliations 
>> in order to authenticate messages does cost several orders of 
>> magnitude more than a simple "mechanical" verifier.  That way, 
>> requiring too much flexibility is a push toward oligopoly.
> 
> I have no idea what you are referring it.


Gmail has a visual perspective that allows them to know each and every 
email domain worldwide, and employs a number of people who help 
continuously upgrading domain reputation.  In order to enjoy such 
technology, medium-small domains can get a G Suite account.  That's 
oligopoly.  If the technology were simpler and clearer, running one's 
own mail server could be a valid alternative.


Best
Ale
--