On Wed, Apr 12, 2023 at 9:41 AM John R Levine <jo...@taugh.com> wrote:
> On Tue, 11 Apr 2023, Neil Anuskiewicz wrote: > > If DMARC can protect domains from spoofing which I believe ends up > > costing over $14 billion per year. Forget about the $14 billion and > > think how this crime spree affects people’s view .... > > But it obviously can't do that, and what it does do happens at > considerable cost. > The claim that DMARC protects against spoofing has never been made by the originators of DMARC. We have always been careful that it only addresses direct domain abuse. > > I don't know where that $14B number came from but I am reasonably sure > someone pulled it out of his, er, hat. WHen people talk abbout > "spoofing", they might mean exact domain impersonation or they might mean > lookalikes, or as likely as not mail where the body impersonates someone > and the From address is totally unrelated since, as Dave Crocker often > reminds us, most users don't look at the return address and a lot of mail > software doesn't even show it. DMARC only addresses one modest part of > that. > > If you are someone like Paypal or a big bank, and you have full control > over all the routes of your mail, AND IT DOES NOT MATTER IF YOUR MAIL GETS > LOST, p=reject makes sense. The farther from that you are, the less sense > it makes and the higher the costs you impose on other people. People > chronically forget the capitalized part when thinking about the tradeoffs. > Nobody has full control over all the routes email will take. How does the emitting domain know that a recipient hasn't set up forwarding from one account to another or that a recipient address isn't an exploder or alias representing multiple recipients at multiple domains? It also isn't that " IT DOES NOT MATTER IF YOUR MAIL GETS LOST". It matters but there is a calculus regarding the tradeoffs of a very small percentage (in the case of my former a very small fraction of a percent) of email not getting delivered vs the damage caused to recipients of malicious emails involving direct domain abuse. In one example of direct domain abuse, the malicious actors copied and pasted from real transactional emails and inadvertently included tracking code.Over the course of 48 hours over 180,000 people clicked on the malicious link before the site hosting the malicious content was shut down. And that was all from receiver domains that were not validating DMARC. And again, the original intent of DMARC was mitigating direct domain abuse involving transactional emails. We recognized the tradeoffs involved but to say it didn't (and doesn't) matter if such transactional email gets lost is a gross exaggeration. > > Michael Hammer >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
