On September 17, 2021 1:15:40 PM UTC, Benny Lyne Amorsen
<benny+use...@amorsen.dk> wrote:
>Scott Kitterman <skl...@kitterman.com> writes:
>
>> How do you define "First Hop" without enabling spoofers to trivially
>> bypass DMARC checks by forging more than one hop of headers?
>
>It wouldn't matter. Sensible mailing lists would reject non-first-hop
>mails for domains with p=validate. Spoofers can still spoof directly,
>but they cannot use mailing lists to spread their spoofed mails.
>
>This is a marked upgrade from p=none which most domains are forced to
>use at the moment.
>
>Then as infrastructure improves, recipients will start to reject
>incoming non-first-hop mail with p=validate if it does not have a valid
>ARC header.
If the point is that intermediaries that expect to be the first hop should
reject failures for p=None, they can already do that by rejecting on SPF fail.
No need to add complexity to DMARC to get there.
If there's consensus that adding something like this to DMARC as an
intermediate step for intermediaries only would be useful, then I think there
are multiple issues. One, which is resolvable, is that validate isn't the
right name. I think getting the naming and semantics right would be critical.
I don't think this can get past backwards compatibility problems though. The p
tag is a mandatory part of the record and any new value will be seen as invalid
by all existing DMARC implementations, so you'd have to bump the version. I
don't think we want to do that.
Also, doing anything based on an ARC header field from anything other than a
trusted source is a recipe for failure. I've already seen cases where spoofed
email got accepted due to ARC from an untrusted source. Don't forget the
limitations of ARC.
Scott K
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
