Hello everyone, I was encouraged to bring the following scenario to this list for discussion.
I recently setup a DMARC reject policy for some domains and then did some testing. I was surprised to find that by simply omitting the "From: " header, in a spoofed email sent to a gmail address, that the email was accepted! The email was quarantined, not delivered to the inbox, but I would have thought it would be rejected because I do have a DMARC reject policy. I am aware that DMARC was not designed to deal with the vagaries of UI design in MUAs (as stated in the RFC), however, in the case above, gmail does give spammers a leg up, by displaying the envelope sender as the "From:" address. Thus if a spammer spoofed my domain and didn't include the "From:" header, they could get a message to show up in the junk folder and someone could see that message and retrieve it thinking it came from my domain - even though I have specified a DMARC reject policy and have DKIM and SPF policies. Ok, so here's what I don't understand about DMARC. DMARC appears to require both DKIM and SPF checks to return some kind of result or else the DMARC policy is not followed. Why? It would seem to me that if someone is setting up DMARC, they are aware that they need both a DKIM policy and an SPF policy. Thus, shouldn't the spec state that if a query for either policy returns no result, this is treated as a failure for that test? Or is ADSP supposed to fill in this hole? I'm sure I'm missing some really important detail. If you folks have the patience to point out what I'm missing, I'd appreciate it. -- Mason ---------- Forwarded message ---------- From: Authonaut <[email protected]> Date: Tue, Oct 23, 2012 at 2:44 PM Subject: Re: Paypal breaking the spec they helped develop To: Mason Schmitt <[email protected]> On 10/23/12 3:52 PM, Mason Schmitt wrote: > > Hi Tim, > > I know you're not tech support for general DMARC questions, so feel > free to ignore this request. I just haven't been able to find > anything about this question in my searches thus far. I'll try my best.. > I have found that if I telnet to port 25 at gmail's MX and send an > email using only 'mail from:' and 'rcpt to:' that it is delivered into > the spam folder of the gmail account rather than being rejected as per > my DMARC record. Does DMARC policy require a fail on both DKIM and > SPF in order for the DMARC policy to apply? Yes, both DMARC and SPF must fail for DMARC policy to apply. AND, what I mean specifically is that the DMARC-check will fail if a properly aligned Authenticated Identifier is not present (which can come from DKIM and/or SPF). > I had assumed that if > either DKIM or SPF failed (or soft failed in my case) that the > receiver would still follow the DMARC policy. The receiver is looking for a way to authenticate a piece of email back to a domain. If either DKIM or SPF do the job, DMARC policy is not applied to the message. > The observed behaviour > means that a scammer/spammer could still send an email without FROM: > and TO: headers and the message would be delivered and many email user > interfaces will display the 'mail from:' as the sender, which somewhat > accomplishes their goal of spoofing the sender. You're correct -- without a From: header, there is no DMARC-domain to extract, and therefore no DMARC policy to apply. This is a hole of sorts, althought different ISPs will take different actions based on the absence of a From:-header. FWIW, you should bring your example up in dmarc-discuss, maybe high-light the problem with a few screen shots (do both GMail and YMail do this?). This example will likely lead to inclusion of text in the spec to be aware of this sort of abuse. Where I *can* bring this up in DMARC.ORG proper (if you'd like to avoid attention), but it would be better for you to raise this issue from the outside. HTH, =- Tim _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
