On Sat, Jan 15, 2022 at 10:14 AM Douglas Foster < [email protected]> wrote:
> > DMARC Goal > > The goal of DMARC is to help evaluators make correct disposition > decisions, so that safe and wanted messages are allowed while malicious and > unwanted messages are blocked. It does this by identifying messages whose > identities are verified and distinguishes them from messages that are not > verified and therefore might be malicious impersonations. > > > I don't agree with the goal statement here, because it implies to me that all messages that pass DMARC validation are safe and wanted, while all messages that do not pass DMARC validation are malicious, and neither statement is true. Let me provide, in quotes from the Abstract and Introduction sections of the current rev of DMARCbis, an alternate viewpoint: DMARC permits the owner of an email author's domain name to enable verification of the domain's use, to indicate the Domain Owner's or Public Suffix Operator's message handling preference regarding failed verification, and to request reports about use of the domain name. Mail receiving organizations can use this information when evaluating handling choices for incoming mail. A DMARC pass indicates only that the RFC5322.From domain has been authenticated for that message. Authentication does not carry an explicit or implicit value assertion about that message or about the Domain Owner. Furthermore, a mail-receiving organization that performs DMARC verification can choose to honor the Domain Owner's requested message handling for authentication failures, but it is under no obligation to do so; it might choose different actions entirely. For a mail-receiving organization supporting DMARC, a message that passes verification is part of a message stream that is reliably associated with the RFC5322.From field Domain Owner. Therefore, reputation assessment of that stream by the mail-receiving organization is not encumbered by accounting for unauthorized use of that domain in the RFC5322.From field. A message that fails this verification is not necessarily associated with the Domain Owner's domain and its reputation. Those three paragraphs can be boiled down to "DMARC is the way to ascertain if usage of the domain in the RFC5322.From header was authorized for that message by the domain owner." That's it; no more and no less. Is authorized usage a sure indicator that mail was wanted? Nope. Spammers can publish DMARC policy records and get pass verdicts on their messages in the same way that criminals can carry drivers licenses that prove their identity. Does authorized usage ensure delivery to the Inbox? Absolutely not. Lots of people in the industry will make claims that DMARC can increase deliverability, but it takes a whole lot more than just DMARC pass to get to the inbox. DMARC allows the domain owner to get proper credit from the mail receiver for doing all the other things right, or to get proper blame from the mail receiver for doing all the other things wrong. Some might even say DMARC gets you the deliverability that you deserve. Is unauthorized usage a sure indicator that mail was unwanted? Again, nope. Lots of legit senders haven't yet fully deployed authentication across their entire infrastructure or might have a glitch somewhere in their mail streams, and either case can cause messages to fail DMARC validation checks. A great way for those domain owners to evaluate their deployment and find gaps that need to be addressed is for them to publish a DMARC policy record with p=none and rua tag pointing to a mailbox that they actively monitor; the reports will uncover those streams that are missing authentication, and the domain owner can address those problems before eventually leveling up to p=quarantine or p=reject. I don't know that this was intended by those who first developed the DMARC spec, but for my money DMARC is the best tool out there for a domain owner to judge their readiness to deploy DMARC in a meaningful way. Does unauthorized usage mean that a message will be rejected? Not necessarily, and not even if the domain owner publishes a policy with p=reject. My spam folder associated with my Gmail account contains messages claiming to be from domains that publish a policy of p=reject, and these messages failed DMARC validation, but Gmail did not reject them. Their network, their rules. My point here is that DMARC is but one tool in a much larger toolbox. When fully deployed for a domain, it's intended to stop unauthorized usage of that domain in the RFC5322.From header. Authorized usages of the domain might be for good, or they might be for evil, and DMARC is just one data point that an evaluator has to make the final interpretation of the domain owner's intent. -- *Todd Herr * | Technical Director, Standards and Ecosystem *e:* [email protected] *m:* 703.220.4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
