Totally agree with you there, I run a mail server/monitoring server on OVH. With TLSA records, DKIM, and MTA-STS, I’ll still see junk filters on it if I accidentally email someone other than myself. Yes my space has been SWIP’d and I send so low email volume so it’s reputation would be neutral at best which very much justifies the spam filters due to OVH’s reputation. Somehow I don’t think SHAKEN/STIR would be any different. I wonder how far this would go on VoIP transit. I purchase from voicetel.com <http://voicetel.com/> for my house, which purchases from some other providers, which probably aggregates to others. It doesn’t seem like this is quite as easy as looking up a whois from ARIN. Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300
On Mar 7, 2020, at 7:46 PM, John R. Levine <johnl@iecc.com> wrote:
Most DNS registers avoid verifying customer information as long as the payment clears (for a short time). DKIM (and DNSSEC) is built on top of trusting tokens from third-parties which disclaim all liability.
Right. The only promise that DKIM makes is that if you have a stream of mail signed by the same domain, you can praise or blame the same entity for it. It's a handle that recipient systems can use to build a reputation system, not a whitelist. DKIM has worked this way since 2006, the documentation is entirely clear that's what it does, and I'm kind of surprised you haven't gotten the memo.
Phone companies and advertisers have already demonstrated they can't be trusted to act as third-party introducers.
No kidding. I've talked to people at big telcos who are in the middle of STIR/SHAKEN and they tell me they plan to use it pretty much the same way that mail providers use DKIM. Some senders will have a good reputation and their calls will be delivered, some won't, and not so much. As with mail, it also provides a handle to push back on people sending unwanted junk.
Eventually we'll have STE/STU-equivalent end-to-end verification on our smartphones.
That's known not to work for e-mail spam, so I can't imagine why anyone would expect it to work for phone calls.
Regards, John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly