[ih] Consider the mess (was: Re: Email from Yahoo

Dave Crocker dhc at dcrocker.net
Sat Feb 10 11:55:23 PST 2024 

On 2/10/2024 11:16 AM, Jack Haverty wrote:
> Bottom line - it's a mess.


TLDR:  It is.  But...


Expanded comment:

I often cite the difference between a small town, where no one locks 
their doors, versus a place like New York City, where a door is built 
more like a steel vault.  Differences in environment require differences 
in behavior and tools.

This is not the original Internet.  Now, 90-95% of the mail crossing the 
open Internet is from bad actors.  So increases in protection mechanism 
for email are obviously required. Unfortunately, automating that 
protection is both difficult and imperfect, in spite of being done by a 
substantial community of bright, knowledgeable, well-motivated folk.

Perfect protection against online abuse -- including email spam and 
phishing -- will be accomplished when we achieve perfect protection from 
crime IRL.

This guarantees that any current, viable email system is going to be 
complex and that operating it is going to be complex.

That is, email development and operation at scale is, in practical 
terms, now strictly the realm of expert teams.


A separate line of consideration is the set of tools and standards that 
are available to aid in that protection.  IMO they vary between a mess 
in their own right -- cough... SPF -- to inherently limited, like DKIM.

I don't seem to be able to comment on SPF without ranting, so I won't 
comment on SPF.

DKIM however uses known tech in ways easily understood by technicians 
with basic systems and crypto (use, not design) skills.  And it has 
shown slow but reasonable adoption and use at scale.  (It made some 
design choices that greatly aided this relative success, given how 
grenerally poorly it seems crypto-based tools are adopted, other than 
SSL/TLS.)


Unfortunately the serious impediment to doing better is the challenge of 
using true, end-to-end thinking AND considering all users as equal.  So 
we tend to have point solutions rather than systems solution, and we 
tend not to explore full, end-to-end usage very seriously.

Worse is that collateral damage is often dismissed.  So, for example, 
the adoption of DMARC for use beyond its original design intent is the 
reason mailing list transit has become problematic. Mailing lists have 
been in place for 45 years and in terms of email architecture, they work 
the same now as they did 45 years ago.

But the response from folk who support the enhanced use of DMARC, when 
it is noted that behavior valid for 45 years has become invalid, is 
entirely dismissive.  Those affected are not, after all, the customers 
of the advocates.  (Well, OK.  ARC was developed as a response, but it 
has issues and is not yet a serious player in the real world of email...)

d/

-- 
Dave Crocker
Brandenburg InternetWorking
bbiw.net
mast:@dcrocker at mastodon.social

More information about the Internet-history mailing list