On May 6, 2014, at 10:03 AM, Hector Santos <hsantos@xxxxxxxx> wrote: > On 5/5/2014 8:37 PM, Fred Baker (fred) wrote: >> >> I guess we�re running it. I was hoping to avoid the �everything around broke� part. >> >> ... >> >> And what comes quickly to mind is the comment, earlier in this thread, that �we have been running it for nine years.� >> >> Running it, perhaps, but not learning from it. Kind of �Really Not The Point�. > > At the end of the day, this is all about the IETF desiring a "Freedom to DKIM Sign/Resign Mail" at any middleware, host, router. hop, forwarder, mailer, list service, etc, node along the transport part in the mail network without author domain restrictions. > > Either you believe in an author domain DKIM regulated mail system or not. The resigners do not believe no one uses "strict" policies anyway, and if Mom&Pop biz does, WHO CARES!! The IETF has certainly shown it doesn't. > > That pretty much sums it up. Hector, Perhaps a different perspective could be useful. Rigidly constraining From header fields or Return Paths disrupts legitimate communication since this does not identify actual email sources. Source assessment is a far more effective mitigation control over content filtering as demonstrated by evolving RTF, Flash, Java, and Office vulnerabilities. SMTP lacks a federation feature found in XMPP. Not having a means to federate control makes it difficult to exclude a malicious source. TPA approximates a federation scheme, whether from authentication invoked by a From header field policy request or any other domain authentication method used. TPA allows a sender (as an anchor) a means to authorize domains employed by their users within a single DNS transaction. This allows a means to establish an email-chain-of-trust making use of various authentication methods. DMARC attempts to improve reliability by combining either aligned DKIM signed content or SPF authorization. TPA attempts to overcome impediments these methods impose in describing the actual system federation. In developing regions, the percentage of compromised systems is high. A federated system should greatly assist in identifying where malicious content is being introduced and reduce the level of false detections, notifications, and blocking actions. Regards, Douglas Otis