Re: SPF/DKIM/DMARC et.al.: REALLY LONG [was: is it just me or...]

[Michael Thomas via NANOG <nanog () lists nanog org>]

On 7/5/25 3:44 PM, Barry Shein via NANOG wrote:
> At the 2003 MIT Spam Conference there were two keynotes, myself and
> someone else who is highly esteemed in the e-mail world.
>
> They spoke about these various emerging (in 2003) authentication
> methods and I asked a question like any participant which echoed
> what's being said below: Aren't the bad guys just going to learn how
> to make their email authenticated? So all I know, with great
> certainty, is this email is from Phishing R Us, Inc?
>
> The answer was, well of course, but this will all work because we will
> also develop reputation systems.
>
> That was 2003, nearly a quarter century ago.
>
> Unfortunately too many of the problems on the internet were solved on
> paper (i.e., RFCs and their ilk) 20, 30, 40...years ago.
>
> But nothing came of them because writing down a clever engineering
> hack is a lot easier than herding a billion cats but the
> organizational structures lean heavily in favor of the "let's write up
> another clever engineering hack!" crowd.

If you're talking about reputation systems, maybe you should talk to the 
folks clamoring to solve the DKIM so-called "replay" problem who claim 
that spam "replays" causes problems with their reputation from big 
mailbox providers.

Part of the problem with all of this is that everything that happens on 
the receiver side is opaque to the world at large and providers aren't 
saying what's going on under the hood with any specificity for... 
reasons. I can understand their reasons, but unless you've worked at one 
and by some miracle can talk about it, nobody on the outside knows what 
they are really doing.

Mike
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/N5HCKXIJKEGYKH4JX3O6UFIBBOTOCQ3B/