Re: SPF/DKIM/DMARC et.al.: REALLY LONG [was: is it just me or...]

[Barry Shein via NANOG <nanog () lists nanog org>]

At the 2003 MIT Spam Conference there were two keynotes, myself and
someone else who is highly esteemed in the e-mail world.

They spoke about these various emerging (in 2003) authentication
methods and I asked a question like any participant which echoed
what's being said below: Aren't the bad guys just going to learn how
to make their email authenticated? So all I know, with great
certainty, is this email is from Phishing R Us, Inc?

The answer was, well of course, but this will all work because we will
also develop reputation systems.

That was 2003, nearly a quarter century ago.

Unfortunately too many of the problems on the internet were solved on
paper (i.e., RFCs and their ilk) 20, 30, 40...years ago.

But nothing came of them because writing down a clever engineering
hack is a lot easier than herding a billion cats but the
organizational structures lean heavily in favor of the "let's write up
another clever engineering hack!" crowd.

Put another way: Why is there no economics behind solving any of this?

In other areas like, e.g., creditworthiness vast infrastructures have
been built and maintained and seem to work well enough to keep the
lenders afloat (actually, to keep them among the wealthiest in all of
world history.)

But this stuff remains mostly a volunteer effort except where someone
can maybe spin up a consultancy or customized service but it's always
tiny in the scheme of things.

Follow the money? Apparently there is no money to follow!

On July 5, 2025 at 16:11 nanog () lists nanog org (John Levine via NANOG) wrote:
> It appears that Michael Thomas via NANOG <nanog () lists nanog org> said:
> > Email doesn't even have that. Thunderbird, which is what I use, has 
> > precisely *nothing* to say about DKIM/SPF/DMARC. 
>
> Well, yeah. As you surely know as well as anyone, if a message is
> authenticated that tells you nothing about whether it's mail you want
> or mail that's malicious. For that you need a reputation system that
> knows something about the domain that's authenticated. That seems a lot
> easier to do at delivery time and put the bad ones in the Junk folder,
> or don't deliver them at all.
>
> > Do you have any visibility into, say, MAAWG and why they don't take this 
> > up as a standards effort? 
>
> Honestly, they'd just laugh. It's not a new idea, and there is a great
> deal of experience that says asking users to make security decisions in
> the UI mostly adds confusion.
>
> On the other hand, if you use Thunderbird, I don't think it'd be very
> hard to write a plugin that looks at the Authentication-Results:
> header and adds locks or skulls and crossbones to the message display.
> Try it, tell us how you like it.
>
> You can start with this one:
>
> https://addons.thunderbird.net/en-US/thunderbird/addon/dkim-verifier/
>
> R's,
> John
> _______________________________________________
> NANOG mailing list 
> https://lists.nanog.org/archives/list/nanog () lists nanog org/message/ZKODZNYV5ZDW322P6IU52G56SSYTCCWN/

-- 
        -Barry Shein

Software Tool & Die    | bzs () TheWorld com             | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD       | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/3HSEMFZR6A5STR4QIIGH5IW6SNHQWVN3/