On Fri, Jun 5, 2020 at 12:40 AM Jim Fenton <fen...@bluepopcorn.net> wrote:
> On 6/2/20 10:35 AM, Dotzero wrote: > > > As part of the original DMARC team, the goal was to make clear whether the > email was authorized by the domain being used, hence the reliance on SPF > and DKIM. These are clearly under the domain owner/administrator's control > to the extent they choose to exercise that control. There was much > discussion in the community at the time to use thei= field to enable more > granular signing. it never gained traction. Because the intent was to > protect end users from fake emails purporting to be from (primarily) > commercial domains such as financial institutions, greeting card companies, > etc., the Sender field was not a significant issue. Also, when the Sender > is in the same domain as the From, there is no DMARC issue. > > > I'm all confused about why alignment matters. Back around the time DKIM > was standardized, we were concerned about phishing attacks from look-alike > domains, i.e., substitutions of 1 for l, that might be registered by > attackers and sign their messages with valid DKIM signatures. > > But now a lot of people don't see anything but the Friendly Name; the > email address isn't displayed at all. For that (apparently increasing) > proportion of users, the From or Sender addresses aren't visible; the > attacker might as well use any Friendly Name of their choosing with any > domain they can sign for there. So they get DMARC alignment, but what has > it accomplished? > > -Jim > The goal of DMARC was (and is) to mitigate direct domain abuse. Nothing more and nothing less. It helps receiving systems identify a (correctly) participating domain's mail. That is why a DMARC policy is often described as a sending domain's request and local policy is so important (and can override that request). For attackers that deploy DMARC it simply means that they are self identifying their malicious messages as theirs. Much has incorrectly been attributed to SPF/DKIM/DMARC. For example: "It stops spam" - It does not. "It stops phishing" - It does not. The modest goal is to stop direct domain abuse. It can do this remarkably well. On the other hand it creates an incentive for attackers to compromise participating domains. This has led to the long standing discussion (more lately lapsed) between Dave Crocker and my self about reputation. My position is that long term, reputation systems are of limited value because of domain compromise or even sending policy change. To put it another way, "What have you done to me today?". Dave has in the past had greater faith in reputation. For Sending domains, SPF/DKIM/DMARC is only one set of tools in protecting their brand from abuse. It protects end users from abuse. In fact, in many cases the individuals most susceptible to falling prey to such abuse may not even be customers of that sending domain. No, that greeting card you received isn't legit (Nobody loves you). No, that retailer isn't giving you a $200 gift card. This is why other tools like takedowns are so important and why the removal of registrant information from domain registrations has enabled abusers. Just a few thoughts. Michael Hammeer
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
