On Sat, Dec 17, 2016 at 06:38:07PM -0800, Dave Crocker wrote: > there is a broad-based belief in that community that aggressive > requirements for author authentication will alleviate many abuse problems. There was a roughly equivalent belief that requirements for domain authentication would do the same thing: "Spam as a technical problem is solved by SPF." That belief was wrong. So is this one. Even if DMARC (and ARC, and whatever else comes along) work perfectly, without all the myriad problems we're currently discussing, the impact on abuse will be negligible. For example, since we're talking about Yahoo and its latest massive security breach: I get spam -- all day, every day -- in my spamtraps from Yahoo, and yes it really is from them. It flows nonstop, as it has for many years, because they simply don't care to make it stop. So it doesn't matter if it's authenticated as really from them, and further authenticated as really from a particular user account: this is accurate but useless information because they won't do anything with it. Dealing with abuse doesn't require any of these technologies. It requires organizational committment to running a well-staffed, well-qualified abuse desk that responds to EVERY abuse report promptly, efficiently, and accurately, and which is empowered to take the actions necessary to make the abuse stop. Yahoo is miserably bad at this, and they're not the only one. So let's not kid ourselves that these operations are sincerely trying to do something meaningful about abuse. They're not. They've told us by their actions, for well over a decade, that they simply don't care about the abuse they emit/support/facilitate. ---rsk