On Sunday, March 31, 2013 4:51 AM [GMT+1=CET],Murray Kucherawy wrote:
> On 3/30/13 12:46 PM, "J. Gomez" <[email protected]> wrote:
> > And what about including into the DMARC specification a "SoftFail"
> > result, in which it would be required that both SPF and DKIM tests
> > give a 'pass' result AND are aligned between themselves but not
> > aligned with the RFC5322.From header? This will buy time for
> > mailing list software to catch up with DMARC requirements and
> > become, given enough time and as familiarity with DMARC becomes
> > more widespread, full DMARC compatible.
>
> That would allow anyone to arrange that a message passes SPF and DKIM
> using any domain they like, but then use a From: of the "SoftFail"
> domain. This would totally defeat the purpose by handing attackers a
> successful phish vector.
Yes. But what if the DMARC default were to have that phish vector closed, so
that it only would be open for those who explicitly did open it (because they
had a specific problem that needed fixing)?
Imagine that the DMARC "p=" tag would be defined as follows to allow for up to
two policies:
dmarc-request = %x70 *WSP "=" *WSP ( "none" / "quarantine" /
"reject" ) [ "," "none" / "quarantine" / "reject" ]
where the first policy would be mandatory to be declared, and the second policy
would be optional to be declared. The first policy would be for what to do with
DMARC-Fail and the second policy would be for what to do with DMARC-SoftFail.
And imagine that in case of a non explicitely stated second policy, the second
policy would inherit the value of the first policy.
Then:
"p=reject" would be equal to "p=reject,reject"
"p=reject,none" would mean reject all mail that Fails DMARC but do nothing
with mail that SoftFails DMARC.
This way, the phish vector is closed by default, as not many people would be
expected to declare the optional second DMARC policy, most people would go with
just the default configuration (i.e. "the optional second DMARC policy is the
same as the mandatory first DMARC policy").
Regards,
J. Gomez
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
