> -----Original Message----- > From: Dave Crocker <[email protected]> > Sent: 24 June 2020 14:48 > To: David I <[email protected]>; IETF DMARC WG <[email protected]> > Subject: Re: [dmarc-ietf] What if... Sender: > > On 6/24/2020 2:56 AM, David I wrote: > > Specifically, alignment on 'From' allows automated checks against > > addresses of known, trusted contacts from addressbooks > > So does alignment on Sender. Yes, the addresses in From: vs. Sender: > might be different, but that doesn't mean the same assessment mechanisms > that can be used on a From: address can't also be used on a Sender: address. >
Without forcing alignment to 'From', an attacker can set their own 'Sender', set a 'From' they're not entitled to use that's of a trusted contact, and the DMARC associated with the abused domain in the 'From' has no effect and can't be used for filtering. So while you could so a similar filter on Sender, it wouldn't be as useful, and would provide less security benefit. > > > If the authentication is of a value which isn't related to the entry in the > addressbook, I don't see how this kind of checking/filtering can be done, and > so wouldn't be as useful. Unless there's a way I've missed? > > I suspect that very little -- if any -- of the current use of DMARC relies on > an > end-user's address book. It's definitely the case that there are popular email services doing filtering/alerting based on addressbooks/known contacts, and I'm confident that DMARC's ability to force use of cousin/alternative domains makes this more effective. David This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]. All material is UK Crown Copyright © _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
