On Tue, Nov 15, 2022 at 12:29 PM Douglas Foster < dougfoster.emailstanda...@gmail.com> wrote:
> Your solution is straightforward, but I am not sold. > > DMARC PASS means that the message is free of author impersonation. This > can only be true if all authors are verifiable and verified. > This is absolutely not true. An attacker can use homoglyphs, cousin domains and other means of impersonating a sender. An attacker can impersonate a sender within the same domain and DMARC will happily give a pass because the right hand side of the from address matches. Author != sending domain. DMARC only addresses direct domain impersonation. > > What do you dislike about PERMERROR? My SPF algorithm continues > evaluating on PERMERROR and returns both the error and the fallback > result. This is not standard but it is within my freedom of control. > > Similarly, an evaluator could apply a fallback DMARC solution after > PERMERROR caused by a multi-From message, if they want. But it is not our > role to ensure acceptance of an identifier that cannot be verified. > Verification is established at the domain level. Multi-from > authorization is established at the individual level. This is the mailing > list problem redux. The mailing list is authorized by an individual > subscriber, but individual authorizations cannot be proven. > > DF > Michael Hammer
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
