Scammers set up domains with instructions to ignore email security failures on their emails via a DMARC record and Google et al. deliver their obvious dangerous spam to you. I thought, "how stupid" to

jerry@my-place.social · 2 months ago

Scammers set up domains with instructions to ignore email security failures on their emails via a DMARC record and Google et al. deliver their obvious dangerous spam to you. I thought, "how stupid" to

J. Trent Adams@infosec.exchange · 2 months ago

@cR0w@infosec.exchange @tehfishman@ioc.exchange @jerry@my-place.social

Yup, we developed DMARC primarily to address domain abuse, and after a couple years of debate in the early days, had to call addressing general spam out of scope (because we wouldn’t have gotten anything done had we included that as a feature target of the spec).

As it was, it took us about 7 years to go from concept to issuance of RFC7489 (lots of history, if you’re interested - it’s quite the tale). Yeah… not easy… and that was only an Informational Draft (not a standard).

In fact, the IETF DMARC Working Group just the other day submitted an updated DMARC-bis version as an official Standards Track specification. Yay!! Sooo… that means it took since 2007 when we first started talking about it until 2025 to get it standardized. Sheesh… 18 years of work. Wild.

Now… if you’re hip to join our next venture (or just see how it unfolds - should be fun)… give DKIM2 a look. We started working on it about two years ago, and just recently re-opened the IETF DKIM Working Group to add new features, protections, and close gaps (e.g. defending against replay and more effective support of intermediaries).

Join the conversation!

https://datatracker.ietf.org/wg/dkim/about/

#dmarc #dkim #email #security #ietf #standards

cR0w :cascadia:@infosec.exchange · 2 months ago

@jtrentadams@infosec.exchange @tehfishman@ioc.exchange @jerry@my-place.social I thought we were cool until you invited me to join an IETF conversation. 😉