On Tue, Jul 28, 2020 at 2:54 AM Autumn Tyr-Salvia <atyrsalvia= 40agari....@dmarc.ietf.org> wrote:
> Hello, > > I recently had a conversation with Dave Crocker about proposed changes for > DMARC, and mentioned a use case to him that is not well served by the > current situation that is not a mailing list. He said it might be useful to > share this to this list, so I'm writing it out here. > > A customer of mine is a large financial services company. Like many in > that field, they have acquired several other companies over the years, and > now operate multiple different brands, which send email using different > domains.. While many companies like this maintain one primary domain for > corporate email and others only for marketing purposes, this company > maintains multiple distinct domains even for corporate workplace email. > > The challenge is that they have many administrative assistants who send > out meeting calendar invitations on behalf of the executives they support, > and the executive and the assistant do not always use the same email > domain. The resulting messages are not aligned, so they fail DMARC. > > To put it another way: > > - assist...@firstbrand.com is organizing a meeting for > execut...@secondbrand.com > - assist...@firstbrand.com sends out a calendar invite from their own > messaging client, using execut...@secondbrand.com in the From: field > - The resulting message uses execut...@secondbrand.com in the friendly > From: field, but firstbrand.com in the SMTP MAIL FROM domain, so the > headers are no longer aligned for SPF. > - Both firstbrand.com and secondbrand.com are set to DMARC p=reject. > - Messages like this are then rejected by receivers that validate > DMARC results. > > Whenever possible, they tell me they change the assistant's email domain > to match the executives they support, but as people leave or change > departments, they sometimes end up with assistants supporting executives > across multiple different domains, so they can't ensure they always have > the same domain. > > Maybe the ultimate answer for this customer and others in a similar > situation is simply that this is a use case that can no longer be supported > due to evolving security needs, and yet if that's the case, I thought it > would be helpful to share a real world scenario that is currently impacted > that isn't part of the previously existing discussion around mailing lists. > There are several solutions that come to mind fairly quickly considering that this is a financial institution. Both involve a small amount of logic and code. The first is to DKIM sign with signatures for both domains. This involves a relatively small amount of code and logic. Any of the MTAs I've worked with could do this even if there are a large number of domains involved.. The second would be to always make the From and the MailFrom consistent (keying off of the From email address) when passing through the outbound MTAs. Again, a little bit of logic and coding but if this is truly a significant problem for them then it is worth the one time effort to implement either or both of these solutions. I've done similar sorts of logic for outbound mail on Ironport and Momentum (MessageSystems) MTAs. Any of the open source MTAs can easily do the same. I don't view this as something a standard needs to fix but rather something that this particular business needs to address because they want to keep a certain business model and practices but also want the benefits of a "p=reject" policy assertion. Michael Hammer
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
