
On Sat, Jul 5, 2025 at 10:06 PM John Levine via NANOG <nanog@lists.nanog.org> wrote:
I took a look at the paper and was underwhelmed. They were shocked to find that most of the Alexa top 1000 don't have DKIM or DMARC records, and well, duh, ...
I think Mike mostly referred us to the experiment in section 6 (Mike, correct me if I'm wrong), rather than the claim John mentioned (which I think is citation of previous work and not result of this one). That said, the experiment was of the effectiveness of a warning for a failure of the (SPF/DKIM/...) validation, i.e., would users ignore it and access the email anyway. As Rich explained nicely, this is rarely the method used by attackers; they usually use their own domains, so they pass this validation. The vast majority of users fail to notice the email was sent from the wrong domain (see lots of discussion in earlier messages, mainly by Rich). So, I'm not sure it's a great example showing that UI can be used for effective defense. Ah, and John also asked
... A-R tells you whether the DKIM, SPF, and DMARC validations passed. What else would you expect to show? And why do it in the UI rather than at delivery time?
Obviously the reason is that the providers don't want to risk blocking the email due to false positive. They prefer to shift the responsibility to the user... (I wonder if John asked seriously or if it was sarcasm, as I know John is very well aware of the fact providers hate the risk of false positives...) Best, Amir -- Amir Herzberg Comcast professor of Security Innovations, Computer Science and Engineering, University of Connecticut Homepage: https://sites.google.com/site/amirherzberg/home `Applied Introduction to Cryptography and Cybersecurity' textbook: https://sites.google.com/site/amirherzberg/crypto-cyber-book
R's, John _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/CTWHM5RK...