On Tue, May 7, 2024 at 9:27 PM Scott Kitterman <skl...@kitterman.com> wrote:
> On Tuesday, May 7, 2024 9:09:02 PM EDT Mark Alley wrote: > > On 5/7/2024 7:00 PM, Dotzero wrote: > > > https://www.ic3.gov/Media/News/2024/240502.pdf > > > > > > This was released this past week by the FBI. Although we are in last > > > call, I have to wonder if a) the attack itself, and/or b) the > > > government recommendations regarding policy might impact DMARCbis in > > > any manner. I've only just started thinking about the attack itself > > > and potential implications. > > > > > > Michael Hammer > > > > While the subject is interesting, in my eyes, Business Email Compromise > > (BEC), and a non-preferential DMARC policy disposition published by the > > spoofed domain owner aren't an issue with the DMARC mechanism itself. > > The receiving mail system did exactly what the domain owner requested > > with p=none, no disposition was taken on email(s) failing DMARC. > > > > From an alternate point of view, one might consider how this policy > > could be more broadly "exploitable" as a side effect now that the > > internet email ecosystem is inundated with p=none DMARC records by > > domain owners just doing the bare minimum to meet ESP sender > > requirements, but that's still not a problem with DMARC itself. > > > > Addressing this issue - perusing Section 5.5.6, is there anything else > > we could add that would be acceptable language in an Standards track > > document to encourage urgency behind a transitory state of p=none use by > > domain owners? Would that even make sense to do? (Legitimate question > > for the WG) > > I don't think the claim that p=none is "transitory" is at all generally > correct. It will be in some cases and not others. > > Scott K > This reflects one concern that came to mind fairly quickly. When we originally came up with DMARC it was intended for use by domains sending transactional mail and which did not have individual users or very limited individual users. There has been a certain amount of coercion by some large mailbox providers to incentivize email authentication, including DMARC. Publishing P=none is one way of meeting those requirements. These attacks and the recommended response by the FBI put domains with individual users in a difficult position. One might say this is an operational issue and leave it at that. This doesn't strike me as right but I'm not sure what the working group might reasonably do/say in DMARCbis about an operational issue.. Michael Hammer
_______________________________________________ dmarc mailing list -- dmarc@ietf.org To unsubscribe send an email to dmarc-le...@ietf.org
