I meant to respond to this earlier: On 01/31/2014 02:38 PM, Mike Jones wrote:
Roland gave an excellent explanation of the reason for the alignment requirement the DMARC specifies. One point in his reply I will disagree on though is that domains without a current spoofing problem should not implement a DMARC quarantine or reject policy. This thing about spoofing is that one never knows when one will become a victim. We often see domains that go periods of time without a spoofing issue and then are hit hard on one day. If the your domain has excellent SPF and DKIM with a high overall DMARC pass rate, you have fully analyzed your DMARC reports to understand the risk of failures due to mailing lists or forwarding, and everything looks good then why not protect yourself from future attacks with a DMARC quarantine or reject?
I may have overstated slightly, but as a practical matter there really is a bound below which p=quarantine/reject does more harm than good to a Domain Owner, not because smaller organisations are immune from spoofing but because there is a non-zero cost in monitoring and interpreting authentication failures and responding when appropriate. Whether this cost is borne as a monetary subscription to an authentication specialist, as yet another demand on the time of an IT guy who's already spread far too thinly, or simply in disruption to business when neither of the above is in place and something breaks, the cost isn't zero. If the expected benefit of protection (the likely - not worst case - impact of an incident multiplied by the probability of an incident - a number which is vanishingly close to zero for most organisations) is less than the cost of monitoring, interpreting and responding then quarantine and reject are harmful choices.
The challenge, of course, is where to draw the line. F500s are clearly in the cross-hairs, Alexa's top thousand (and some distance beyond) likewise. Somewhere a little further along this continuum however, is a point beyond which the costs of monitoring, interpreting and responding (or of disruption) exceed the benefit. My guess, although I admit that I have no credible quantitative model, is that this applies to a substantial majority of all domains which are used in 5322.From headers.
- Roland _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
