On 6/23/2020 2:49 PM, Dave Crocker wrote:
The would produce obvious possibilities:
From: someone@goodplace.example
Sender: someone@goodplace.example
and
From: somone@goodplace.example
Sender: some...@mlm.example.com
where there might be a dmarc record for mlm.example.com
This still presents the unsolved 3rd Party Signature (3PS)
authorization concept again. The problem has always been since Day 1,
"Does goodplace.example authorized mlm.example.com to be a resigner on
its behalf?"
The modification to DMARC would be "look for Sender: and if it isn't
present, look for From:.
Doesn't solve the 3PS problem. Do you know how ATPS worked? It works
like this:
googleplace.example will create a DNS lookup record representing
mlm.example.com. The ATPS algorithm for the DNS record is:
base32(sha1(SIGNER-DOMAIN))._atps.example.com
So for this example, a DMARC extension tag "atps=1" is added to
goodplace.example DMARC record, telling verifiers to test for ATPS 3rd
party signers. The zone node record will be (in MS DNS format)
6f4dvf2bygvf6zkq6kiktk53oajhfvhe._atps TXT ("v=atps01;
d=mlm.example.com;")
Now the 3rd party is authorized deterministically, and if we did this
with the Signer Domain, which I presume would be mlm.example.com then
the same ATPS record will apply and the verifier does not have to deal
with the 5322.Sender header.
Obviously, mlm.example.com might instead be badactor.example.com.
but we already have to deal with cousin domains, and DMARC does
nothing about them.
Well, there would not be any 1st party authorization for the 3rd party
"badactor.example.com" so for restrictive DMARC records, it would be a
highly detectable deviation of the experted norm offering a negative
classification, i.e. rejection or quarantine.
So if Sender: wouldn't be as useful as From:, why not?
Because we still do not have protocol that can test the assertion that
the 3rd party Sender is authorized by the 1st party. It is the same
problem.
--
Hector Santos,
https://secure.santronics.com
https://twitter.com/hectorsantos
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
