This is a spin-off from the thread I started yesterday about p=none vs
"p=reject; pct=0".
I thought the goal of DMARC was that eventually the maintainer of every
domain on the internet that shows up in the From: line of email messages
will be able to reliably tell the rest of the internet which of those
emails are legitimate and which are forged, and the rest of the internet
will therefore be able to divert the forged messages so users don't see
them. In short, I thought the goal of DMARC was to eventually make it
pointless for spammers to forge emails from real domains because users
simply would not see them in a world where DMARC is deployed everywhere.
Some of the responses in the thread I started yesterday suggest to me
that this goal which I thought was the point of DMARC is not, in fact,
what anyone expects DMARC to achieve.
For example, one poster claimed that no "mailbox provider" should ever
be using "p=quarantine" or "p=reject" in their DMARC policy. This
confuses me. If the mailbox providers, i.e., the domains which host the
majority of users and presumably generate the majority of emails, are
not expected to be able to definitively assert which emails claiming to
be from them are legitimate, even in a world where DMARC is properly
implemented everywhere, then what's the point? Again, what's the goal?
Several posters talked about how rewriting errors to preserve DMARC
compliance in forwarded messages "degrades the user experience" and
therefore it should only be done when absolutely necessary. However, if
the eventual goal is for everyone to be using DMARC and generating
emails that pass DMARC, then either rewriting headers or resigning
messages with ARC is eventually going to be required for every email
message that transits a third-party server without a DKIM signature, or
which is modified in a way that breaks the DKIM signature, so since
we're trying to expand the adoption of DMARC, shouldn't we be swallowing
that bitter pill and doing the rewriting or adding ARC signatures so
that users get used to the "degraded" experience that they're going to
have to tolerate in the future in exchange for making email more secure
for everyone?
And let's talk about ARC signatures for a minute. As I pointed out in a
message yesterday -- and I don't think anyone has contradicted me,
unless I missed it -- an essential element of ARC as I understand it is
that every server that receives email has to maintain a list of all the
domains whose ARC signatures they trust. There are essentially an
infinite number of internet domains, and while it's true that most of
them don't forward emails, surely there are thousands if not tens of
thousands that do. I don't see how any system that relies on system
administrators making trust decisions on a case-by-basis about thousands
of domains is workable or scalable. I also don't see what the path of
entry is for the extremely typical case of a small or medium-sized
company that wants their users to be able to configure their company
email accounts to forward their emails somewhere else. ARC is not going
to work for them because how are they going to convince behemoth sites
like Gmail, AOL, Yahoo, etc., to trust their ARC signatures?
What am I missing here? How is this all expected to work when we're in
the deployed-everywhere phase of DMARC and ARC rather than the
still-toying-with-people's-expectations phase?
Thanks,
Jonathan Kamens
_______________________________________________
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)