> On 28 Jul 2020, at 08:36, Alessandro Vesely <ves...@tana.it> wrote:
> 
> On Tue 28/Jul/2020 08:54:02 +0200 Autumn Tyr-Salvia wrote:
>> # The resulting message uses execut...@secondbrand.com in the friendly From: 
>> field, but firstbrand.com in the SMTP MAIL FROM domain, so the headers are 
>> no longer aligned for SPF.
>> #
> 
> Heck, can't they DKIM sign?

This really misses Autumn’s point. The issue she brings up may be unusual but 
it a lot more common than folks think. Banks, in particular, are a host of 
underlying problems related to DNS and security. I worked with a bank a few 
years back. It took 6 weeks to identify what continent the nameserver 
controlling DNS for the subdomain we were trying to authenticate lived on. Then 
there were weeks of approvals and security sign offs in order to get a DNS 
change made so we could correct a SPF record. 3 or 4 months to get an update 
done. For the record, my clients were part of the Canadian organization and the 
name servers handling their DNS were located in Australia. 

Autumn has presented a very real world scenario that demonstrates the overall 
complexity of mail management operationally. Your solution “sign with DKIM” has 
significant barriers to adoption. For instance, assume that there is code 
installed on the mailserver that will grab the 5322.from address and sign with 
the appropriate DKIM key. How many domains are involved? How many different 
mailservers? How long will this solution take to deploy? Banks do not move 
quickly and, for the obvious reasons, any changes to security require multiple 
reviews and assurances that the implications are understood.

The underlying belief with DMARC is that mail is simple, that companies are 
monoliths with only a few brands/domains, that it is possible to know exactly 
where every message will come from. These assumptions are not and have never 
been true. Inevitably, however, when these types of issues are pointed out, 
they’re dismissed with “solutions” that aren’t actually achievable or 
maintainable. DMARC proponents have repeatedly failed to pay attention to folks 
pointing out the actual operational challenges and thus have never addressed 
the issues in any way. This is, fundamentally, why only 15% of fortune 500 
companies have adopted p=reject and why adoption rates are only increased by 5% 
last year. 

The indirect mail stream issue is real. But it is not the only barrier to 
getting to p=reject. The sooner folks start listening to the people who are 
presenting real issues where DMARC alignment can’t be achieved the sooner 
they’ll be able to address them. The problem with low DMARC adoption is that it 
does not adequately address how companies are using mail in ways that break the 
DMARC model. Almost a decade on, and proponents are still suggesting that email 
usage should change to comply with their model of how email works. This has not 
happened. Maybe proponents need to think harder about why. 

laura

-- 
Having an Email Crisis?  We can help! 800 823-9674 

Laura Atkins
Word to the Wise
la...@wordtothewise.com
(650) 437-0741          

Email Delivery Blog: https://wordtothewise.com/blog     







_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Reply via email to