Thank you for the clarification.
I used to write Sendmail parsing rules so I am familiar with how complex and arcane that can be.
It looks like we have some basic architectural issues here.
While S/Mime over TLS uses the Internet, different layers of the OSI stack are further integrated including my IP for country equals US in regards to HIT in regards to policy OIDS. The problem clearly is not at a technical layer, but all the layers.
For PP to step up to the plate and be useful they have to understand the risk analysis of S/Mime versus regular Internet mail for these filters.
I got a Russian based phish confirmed by Virus Total through GMail the other day, where my general domain email has had to be entirely white listed. That’s really unusual because GMail filters are really good.
90 % of regular Internet mail is spam or phishing mail. But different rules apply to Direct as a AS 1 based standard. The fact that HISPs are vulnerable to data leakage under HIPAA and thus must be BAA means the approach is less secure but more DLP friendly.
The amount of Spam/Phish from LOA 3 verified Direct individual certificate holders like Dr. Beller I don’t think has ever been measured.
This is what David Kibbe means when he says that DirectTrust is equivalent to a Spam filter when blocking messages that are not in a curated trust bundle in a HISP. Or the same analogy with Aaron and Nate. While this trust bundle was proposed as part of a package with Digicert, in reality it’s a very basic approach that reinforces data silos. The state of the art is far more advanced.
Other countries without these silos have demonstrated lower healthcare costs and better outcomes since they have fluidity.
That functionality is also possible without a physical HISP per the Direct Applicability statement with higher security using the rules of the road.
For this, data blocking has to be made transparent per NIST Fair Information Practices which can be understood by mere mortals and not Sendmail wizards parsing a 554 response code. So this test domain is useful.
We have to always factor risks into HIPAA information flows, especially from anything related to PHI.
A Sendmail rule set without adequate and useful support can be ok for the general Internet, (managed from the recipient side via whitelist) but to use the general reachability functionality of the IPv4/v6 address space applied to HIT, and incentivized under MU2 previously, there also needs to be effective use of the x.500 and x.509 policy OIDs so that specific information blocking rules are not misapplied. This is an identifiable risk that affects the clinical use case of Transitions of Care.
ProofPoint was a fail on my end responding to a formal support ticket. Or via RFC requirements for Internet mail relay hosts to deliver a human response to mail to postmaster@domain which was a feature of RFC 822. The fact that the mail server responded with 554 for your test domain was a proof that blocking was taking place by rule. So thanks for getting them to fix that.
They could be useful in enabling Direct Indvidual Addresss as long as they understand the risk analysis, which is blocking of Direct Messages covered under Section 4004 of the 21st Century Cures act.
This Healthcare Information Blocking law was instituted after information blocking in Direct was discovered and documented through among several other things, a misapplication of Intellectual Property law regarding Databases and data sent to patients put some EHR customers at risk of violating contracts by using Direct to send healthcare data to patients. This was somewhat resolved, via API and now FHIR can send data directly to a Smartphone via Apple Health Kit API. All without a Portal.