Re: [dmarc-ietf] Response to a claim in draft-crocker-dmarc-author-00 security considerations

[Benny Lyne Amorsen <benny+usenet@amorsen.dk>]

Dotzero <dotzero@gmail.com> writes:

> One might point to the fact that DMARC was just such an effort before
> it was publicly published. While there was much criticism of this when
> it was submitted to the IETF - "You just want us to rubber stamp this"
> - there was no such intent. It had worked well within the group of
> senders and receivers implementing it through private peering that the
> effort was made so that any domain of any size, both senders and
> receivers, could implement it if so desired. I think the adoption rate
> in the wild speaks for itself (volume of mail covered by DMARC).

Volume of mail covered by DMARC seems to be rather unimpressive unless
you count p=none as covered.

> You have left out one significant way of convincing receiver domains
> and their admins. We used to have our CSRs (customer service) tell
> people who received spoof emails (resulting in phishing, malware
> compromise, etc.) from emails claiming to be from our domains that
> they should contact their mail provider or email admin because the
> problem could have been avoided if DMARC were being checked. We would
> even provide them with the details and a form with all the information
> in non-technical terms. It is amazing how quickly a provider pays
> attention when their customers/users are complaining to them that the
> provider could have prevented the heartache and grief but chose not
> to. Again, this was for domains sending transactional mail with only a
> limited number (intentionally) of role and support accounts.

You can obviously do all that, but that is not what Douglas E. Foster
advocated.

> While IETF is not a lawmaking body, it has an impact on the decisions
> of lawmaking bodies just as the decisions of lawmaking bodies can
> impact the implementation of standards.

Using the IETF as a way to get laws passed favouring ones business seems
at best underhanded.