On Tue, 11 Apr 2023, Neil Anuskiewicz wrote:
If DMARC can protect domains from spoofing which I believe ends up costing over $14 billion per year. Forget about the $14 billion and think how this crime spree affects people’s view ....
But it obviously can't do that, and what it does do happens at considerable cost.
I don't know where that $14B number came from but I am reasonably sure someone pulled it out of his, er, hat. WHen people talk abbout "spoofing", they might mean exact domain impersonation or they might mean lookalikes, or as likely as not mail where the body impersonates someone and the From address is totally unrelated since, as Dave Crocker often reminds us, most users don't look at the return address and a lot of mail software doesn't even show it. DMARC only addresses one modest part of that.
If you are someone like Paypal or a big bank, and you have full control over all the routes of your mail, AND IT DOES NOT MATTER IF YOUR MAIL GETS LOST, p=reject makes sense. The farther from that you are, the less sense it makes and the higher the costs you impose on other people. People chronically forget the capitalized part when thinking about the tradeoffs.
There are lots and lots of examples of real costs that DMARC imposes on real people that have nothing to do with mailing lists.
I used to handle the mail for my local town government. Many of the users asked me to forward their town addresses to Gmail acounts. In 2020 I noticed in my logs that mail from the US Census Bureau was getting lost due to DMARC rejects when I forwarded it. The Census had implemented DMARC in the cheapest possible way, a bunch of SPF records and no DKIM. Losing that mail was a big deal -- this was in preparation for the 2020 census enumeration, and towns care deeply about that since a decade of revenue sharing depends on the census count.
Once I noticed the rejects, I knew that the least bad workaround was to have Google pull the mail, so I had to spend time setting up mailboxes for everyone, spend more time explaining to my users what the problem was, and spend their and my time walking them through and checking the setup on their end. This is all actual costs imposed on actual people, none of which would have been needed if the Census just deleted their DMARC record. Maybe they're a phish target, but the way they treated DMARC as a checklist item suggests not.
Or there's Yahoo and AOL, who used DMARC to force the costs of their own security failures on the rest of the Internet. (See many previous messages for details.)
When we say that mail systems that don't fit the DMARC threat profile shouldn't publish DMARC policies, we have good reasons to say so, and that's what our standards need to say if we're serious about interoperating.
R's, John _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
