> On May 7, 2024, at 6:09 PM, Mark Alley > <mark.alley=40tekmarc....@dmarc.ietf.org> wrote: > > >> >> On 5/7/2024 7:00 PM, Dotzero wrote: >> >> https://www.ic3.gov/Media/News/2024/240502.pdf >> >> This was released this past week by the FBI. Although we are in last call, I >> have to wonder if a) the attack itself, and/or b) the government >> recommendations regarding policy might impact DMARCbis in any manner. I've >> only just started thinking about the attack itself and potential >> implications. >> >> Michael Hammer >> > While the subject is interesting, in my eyes, Business Email Compromise > (BEC), and a non-preferential DMARC policy disposition published by the > spoofed domain owner aren't an issue with the DMARC mechanism itself. The > receiving mail system did exactly what the domain owner requested with > p=none, no disposition was taken on email(s) failing DMARC. > > From an alternate point of view, one might consider how this policy could be > more broadly "exploitable" as a side effect now that the internet email > ecosystem is inundated with p=none DMARC records by domain owners just doing > the bare minimum to meet ESP sender requirements, but that's still not a > problem with DMARC itself. > > Addressing this issue - perusing Section 5.5.6, is there anything else we > could add that would be acceptable language in an Standards track document to > encourage urgency behind a transitory state of p=none use by domain owners? > Would that even make sense to do? (Legitimate question for the WG) > > > > - Mark Alley > Yes,my side effect of the rush to p=none or bust to check some boxes comes from an incentive just as incentives brought us DMARC snake oil. I’ve noticed that friends of mine much smarter than me don’t know anything about email authentication. Even people who work in email often seem to avoid it. So the incentive to jump through hoops was kind of unfortunate but I suspect that the half backed incentives toward p=none as a copy and paste are part of a longer term plan. The next set of incentives seem likely to encourage enforcement at a pace that doesn’t turn the apple cart over on small businesses and the like.
There kind of needs to be a lot of clear communication which is relatively easy as it doesn’t take long to grok the basics if you’re interested at all.
_______________________________________________ dmarc mailing list -- dmarc@ietf.org To unsubscribe send an email to dmarc-le...@ietf.org
