This is essentially correct, as is Mason's observation that this falls into the realm of UI design. DMARC can't determine a policy of any kind because no such policy is retrieved under the DMARC algorithm. The incoming message is, by RFC5322, garbage to begin with. It thus falls to the receiver's local policies in terms of a decision about what to do with the message and what to show the user when viewed.
-MSK From: pandalove <[email protected]<mailto:[email protected]>> Date: Tue, 6 Nov 2012 18:03:25 +0800 To: Mason Schmitt <[email protected]<mailto:[email protected]>> Cc: <[email protected]<mailto:[email protected]>> Subject: Re: [dmarc-discuss] Non existence of "From:" header Let me try. http://www.dmarc.org/draft-dmarc-base-00-02.txt 3.4. Detailed Requirements DMARC's specification requirements, in detail: 1. The RFC5322.From domain is the identifier used for all message validation operations, as it is the single identifier in the message likely to be visible to the user. As said here, header From: is the battlefield where DMARC fights. That is, DMARC exclusively distinguishes fraudulent emails which carry a spoofed From:, then apply the DMARC policy which stored in the DMARC record. So if an email has no header From:, the receivers have no way to determin which DMARC record to query and can do nothing by DMARC mechanism.! For now, "DMARC does not attempt to solve problems related to use of Cousin Domains or abuse of the RFC5322.From "display name"."(Session 2.2) as well as the problems related to Empty RFC5322.From, Multiple RFC5322.From and Deformed RFC5322.From (Session 11.1). HTH :) -Junping At 2012-11-06 15:04:14,"Mason Schmitt" <[email protected]<mailto:[email protected]>> wrote: >Hello everyone, > >I was encouraged to bring the following scenario to this list for discussion. > >I recently setup a DMARC reject policy for some domains and then did >some testing. I was surprised to find that by simply omitting the >"From: " header, in a spoofed email sent to a gmail address, that the >email was accepted! The email was quarantined, not delivered to the >inbox, but I would have thought it would be rejected because I do have >a DMARC reject policy. > >I am aware that DMARC was not designed to deal with the vagaries of UI >design in MUAs (as stated in the RFC), however, in the case above, >gmail does give spammers a leg up, by displaying the envelope sender >as the "From:" address. Thus if a spammer spoofed my domain and >didn't include the "From:" header, they could get a message to show up >in the junk folder and someone could see that message and retrieve it >thinking it came from my domain - even though I have specified a DMARC >reject policy and have DKIM and SPF policies. > >Ok, so here's what I don't understand about DMARC. DMARC appears to >require both DKIM and SPF checks to return some kind of result or else >the DMARC policy is not followed. Why? It would seem to me that if >someone is setting up DMARC, they are aware that they need both a DKIM >policy and an SPF policy. Thus, shouldn't the spec state that if a >query for either policy returns no result, this is treated as a >failure for that test? Or is ADSP supposed to fill in this hole? > >I'm sure I'm missing some really important detail. If you folks have >the patience to point out what I'm missing, I'd appreciate it. > >-- >Mason > > >---------- Forwarded message ---------- >From: Authonaut <[email protected]<mailto:[email protected]>> >Date: Tue, Oct 23, 2012 at 2:44 PM >Subject: Re: Paypal breaking the spec they helped develop >To: Mason Schmitt <[email protected]<mailto:[email protected]>> > > >On 10/23/12 3:52 PM, Mason Schmitt wrote:>> >> Hi Tim, >> >> I know you're not tech support for general DMARC questions, so feel >> free to ignore this request. I just haven't been able to find >> anything about this question in my searches thus far. > >I'll try my best.. > >> I have found that if I telnet to port 25 at gmail's MX and send an >> email using only 'mail from:' and 'rcpt to:' that it is delivered into >> the spam folder of the gmail account rather than being rejected as per >> my DMARC record. Does DMARC policy require a fail on both DKIM and >> SPF in order for the DMARC policy to apply? > >Yes, both DMARC and SPF must fail for DMARC policy to apply. AND, >what I mean specifically is that the DMARC-check will fail if a >properly aligned Authenticated Identifier is not present (which can >come from DKIM and/or SPF). > >> I had assumed that if >> either DKIM or SPF failed (or soft failed in my case) that the >> receiver would still follow the DMARC policy. > >The receiver is looking for a way to authenticate a piece of email >back to a domain. If either DKIM or SPF do the job, DMARC policy is >not applied to the message. > >> The observed behaviour >> means that a scammer/spammer could still send an email without FROM: >> and TO: headers and the message would be delivered and many email user >> interfaces will display the 'mail from:' as the sender, which somewhat >> accomplishes their goal of spoofing the sender. > >You're correct -- without a From: header, there is no DMARC-domain to >extract, and therefore no DMARC policy to apply. This is a hole of >sorts, althought different ISPs will take different actions based on >the absence of a From:-header. > >FWIW, you should bring your example up in dmarc-discuss, maybe >high-light the problem with a few screen shots (do both GMail and >YMail do this?). This example will likely lead to inclusion of text >in the spec to be aware of this sort of abuse. Where I *can* bring >this up in DMARC.ORG proper (if you'd like to avoid attention), but it >would be better for you to raise this issue from the outside. > >HTH, >=- Tim >_______________________________________________ >dmarc-discuss mailing list >[email protected]<mailto:[email protected]> >http://www.dmarc.org/mailman/listinfo/dmarc-discuss > >NOTE: Participating in this list means you agree to the DMARC Note Well terms >(http://www.dmarc.org/note_well.html) _______________________________________________ dmarc-discuss mailing list [email protected]<mailto:[email protected]> http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
_______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
