Re: SPF/DKIM/DMARC et.al.: REALLY LONG [was: is it just me or...]

[Tim Howe via NANOG <nanog () lists nanog org>]

One of the biggest problems I face is that spamming is largely accepted
as perfectly normal for some groups.

Convince marketing people that they shouldn't be able to just email everyone
they can identify about anything they want and it just doesn't compute.

I get more spam directly from Salesforce's network than anywhere else because it's
a service their customers expect them to supply.

Have fun fighting that.

--TimH

On Sat, 5 Jul 2025 18:44:05 -0400
Barry Shein via NANOG <nanog () lists nanog org> wrote:

> At the 2003 MIT Spam Conference there were two keynotes, myself and
> someone else who is highly esteemed in the e-mail world.
>
> They spoke about these various emerging (in 2003) authentication
> methods and I asked a question like any participant which echoed
> what's being said below: Aren't the bad guys just going to learn how
> to make their email authenticated? So all I know, with great
> certainty, is this email is from Phishing R Us, Inc?
>
> The answer was, well of course, but this will all work because we will
> also develop reputation systems.
>
> That was 2003, nearly a quarter century ago.
>
> Unfortunately too many of the problems on the internet were solved on
> paper (i.e., RFCs and their ilk) 20, 30, 40...years ago.
>
> But nothing came of them because writing down a clever engineering
> hack is a lot easier than herding a billion cats but the
> organizational structures lean heavily in favor of the "let's write up
> another clever engineering hack!" crowd.
>
> Put another way: Why is there no economics behind solving any of this?
>
> In other areas like, e.g., creditworthiness vast infrastructures have
> been built and maintained and seem to work well enough to keep the
> lenders afloat (actually, to keep them among the wealthiest in all of
> world history.)
>
> But this stuff remains mostly a volunteer effort except where someone
> can maybe spin up a consultancy or customized service but it's always
> tiny in the scheme of things.
>
> Follow the money? Apparently there is no money to follow!
>
> On July 5, 2025 at 16:11 nanog () lists nanog org (John Levine via NANOG) wrote:
>  > It appears that Michael Thomas via NANOG <nanog () lists nanog org> said:  
>  > >Email doesn't even have that. Thunderbird, which is what I use, has 
>  > >precisely *nothing* to say about DKIM/SPF/DMARC.   
>  > 
>  > Well, yeah. As you surely know as well as anyone, if a message is
>  > authenticated that tells you nothing about whether it's mail you want
>  > or mail that's malicious. For that you need a reputation system that
>  > knows something about the domain that's authenticated. That seems a lot
>  > easier to do at delivery time and put the bad ones in the Junk folder,
>  > or don't deliver them at all.
>  >   
>  > >Do you have any visibility into, say, MAAWG and why they don't take this 
>  > >up as a standards effort?   
>  > 
>  > Honestly, they'd just laugh. It's not a new idea, and there is a great
>  > deal of experience that says asking users to make security decisions in
>  > the UI mostly adds confusion.
>  > 
>  > On the other hand, if you use Thunderbird, I don't think it'd be very
>  > hard to write a plugin that looks at the Authentication-Results:
>  > header and adds locks or skulls and crossbones to the message display.
>  > Try it, tell us how you like it.
>  > 
>  > You can start with this one:
>  > 
>  > https://addons.thunderbird.net/en-US/thunderbird/addon/dkim-verifier/
>  > 
>  > R's,
>  > John
>  > _______________________________________________
>  > NANOG mailing list 
>  > https://lists.nanog.org/archives/list/nanog () lists nanog org/message/ZKODZNYV5ZDW322P6IU52G56SSYTCCWN/  

_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/JZFJX3FAFGMQFDWNWTG3LWTIZIZIUUBB/