Re: SPF/DKIM/DMARC et.al.: REALLY LONG [was: is it just me or...]

[John Levine via NANOG <nanog () lists nanog org>]

It appears that Michael Thomas via NANOG <nanog () lists nanog org> said:
> Email doesn't even have that. Thunderbird, which is what I use, has 
> precisely *nothing* to say about DKIM/SPF/DMARC. 

Well, yeah. As you surely know as well as anyone, if a message is
authenticated that tells you nothing about whether it's mail you want
or mail that's malicious. For that you need a reputation system that
knows something about the domain that's authenticated. That seems a lot
easier to do at delivery time and put the bad ones in the Junk folder,
or don't deliver them at all.

> Do you have any visibility into, say, MAAWG and why they don't take this 
> up as a standards effort? 

Honestly, they'd just laugh. It's not a new idea, and there is a great
deal of experience that says asking users to make security decisions in
the UI mostly adds confusion.

On the other hand, if you use Thunderbird, I don't think it'd be very
hard to write a plugin that looks at the Authentication-Results:
header and adds locks or skulls and crossbones to the message display.
Try it, tell us how you like it.

You can start with this one:

https://addons.thunderbird.net/en-US/thunderbird/addon/dkim-verifier/

R's,
John
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/ZKODZNYV5ZDW322P6IU52G56SSYTCCWN/