On Fri, Jun 19, 2020 at 2:22 PM Jim Fenton <[email protected]> wrote:
> On 6/19/20 10:41 AM, Todd Herr wrote: > > On Fri, Jun 19, 2020 at 1:23 PM Dotzero <[email protected]> wrote: > >> >> >> On Fri, Jun 19, 2020 at 1:09 PM Jim Fenton <[email protected]> >> wrote: >> >>> >>> A verified identity is established by DKIM and/or SPF. What is DMARC >>> adding in this respect? >>> >>> Policy expressed by the domain owner/administrator based on some >> combination of DKIM and/or SPF and the feedback loop. >> >> Both policy and the feedback loop are actions taken on the basis of > verification of the identity (or lack thereof). They do not establish the > identity themselves. > > > Not only that, but DMARC is the only one of the three that is necessarily > tied to the domain in the (usually) visible in the MUA From header. > > That comes back to the question of whether the domain in the From header > is visible in the MUA, and if visible, does it alter user behavior (e.g., > discourage users from clicking phish links). Different people have > different opinions on that. A couple of messages back on this thread, the > blocking of email was discussed and that does not relate to visibility of > the domain in the MUA. > > > Dave Crocker wrote: > There is no evidence that end-users are relevant to > manipulated/fraudulent From: fields or that DMARC's "certifying" the > domain name of the From: field is relevant to reducing end-user > vulnerability. > There is quite a bit of evidence that improving trust signals to end > users has no significant effect. Nowhere have I made any claim regarding the alteration of user behavior; I am speaking solely to the idea of DMARC being used to verify an identity, specifically the domain in the From header. It's my assumption that this verification is likely to be done by someone other than the user, specifically their mailbox provider, whom I further assume will make acceptance and folder placement decisions for a message based on a combination of factors, including, but definitely not limited to, the results of all applicable authentication checks. We don't ask users to perform SPF or DKIM validation checks, so I don't believe that my assumptions are inconsistent here. While it's true to say a verified identity is established by DKIM and/or SPF, which identity is established by these protocols? I've got mail in my inbox right now that has: - in.constantcontact.com as the Return-Path domain; SPF verdict was pass, so in.constantcontact.com was verified as being authorized to send from the host that originated the message; if we want to call this the verification of an identity, so be it. - auth.ccsend.com as the DKIM signing domain; DKIM verdict was pass, so auth.ccsend.com was verified as the signer, but definitely not the purported author, per RFC 6376, section 1.2 - $MYGOLFCLUB.com as the From domain; no DMARC policy published, so the identity was not verified, but I can tell from the content of the message that it's legitimate Now, this mail was wanted mail, so I'm thankful in this case that the domain doesn't publish a DMARC policy, or else I might not have gotten the message. Maybe if they did, Constant Contact would enforce a policy of DKIM signing with $MYGOLFCLUB.com; I don't know how things work at CC. However, such a tuple of three unaligned domains isn't unheard of, and it is to me a textbook case of the need for some mechanism for receiving domains to use to verify the identity associated with the From header. Without such a mechanism, then there is nothing, save the Acceptable Usage Policy enforced by my connectivity provider, to prevent me from sending an unlimited amount of mail using $MYGOLFCLUB.com in the From domain, along with those disposable domains mentioned upthread for SPF and DKIM. (Whether or not such messages reach their destination is an open question, based on the filtering policies in place at the target domains.) -- *Todd Herr* | Sr. Technical Program Manager *e:* [email protected] *p:* This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
