Peter Shute writes:
How does Yahoo's DMARC policy reduce the benefit of Paypal's? Because servers can't follow the reject recommendation without
No, it's because users get used to ignoring warnings about DMARC issues. If it was *only* your bank, you'd learn to pay attention to them. But when you (FVO "you" susceptible to phishing in the first place, of course!) see a pile of DMARC workarounds every day for 70% of your correspondents, how do you respond to this?
All of our mail to you have come back to us due to DMARC rejects, so we need to use this unusual address. Please confirm your blah-blah-blah by clicking <here> and logging in to our secure site.
2% of AOL customers will respond by clicking, at last report. :-(
Let's put it this way: When was the last time you saw an "unvalidated SSL certificate"? Is that timestamp equal to the last time you followed up by checking the root cert's fingerprint on the authority's secure site? Or is the latter equal to -1? ;-)
And does the emergence of legitimate p=reject policies mean it's now less likely Yahoo and AOL will back down?
What makes you think the banks didn't start doing this ages ago? Apparently they merely haven't made an explicit announcement.