On 25/10/2015 02:33, Rich Kulawiec wrote: > On Fri, Oct 23, 2015 at 08:36:31PM +0200, Martin Rex wrote: >> I do not see any increased potential for phishing >> Rather the opposite -- DMARC could be abused to give users a false >> sense of security and fall to the flawed assumption that it would >> authenticate the EMail author (which it doesn't). Just for fun, I looked at a small sample of spam: the most recent 24 messages that gmail itself tagged as junk. No false positives. 4 tagged as DMARC pass. 5 tagged as DMARC fail (gmail does not currently obey p=discard) 15 with no DMARC status. Which suggests that DMARC status is pretty much orthogonal to spam detection, on this small sample. Brian > > Precisely. My spamtraps observe messages all day, every day that pass > whatever validation happens to be in play -- but are clearly forgeries. > And it's a VERY rare end user who is capable of making that same > determination. Thus the warm fuzzies provided by mail clients that mark > messages as "validated" or "authenticated" or whatever term is used are > going to make these problems worse, not better. > > Until the underlying security issues are fixed -- and I see absolutely > no signs that any of the 500-pound gorillas even *intend* to address > those at scale, let alone are actively engaged in doing so -- this (DMARC > and related) just wallpapers over the problem. > > ---rsk > > . >