On 6/25/2020 1:54 AM, David I wrote:
Without forcing alignment to 'From', an attacker can set their own 'Sender',
set a 'From' they're not entitled to use that's of a trusted contact, and the
DMARC associated with the abused domain in the 'From' has no effect and can't
be used for filtering. So while you could so a similar filter on Sender, it
wouldn't be as useful, and would provide less security benefit.
Why is it useful in the From:? Seriously.
Since the utility of DMARC has nothing to do with recipient end-user
decision-making, why is DMARC's use of From: automatically better than
having DMARC use Sender:?
Attackers do all sorts of bad things. Some of those bad things don't
actually matter. They might be unauthorized, ill-intended, and even
make you or me uncomfortable. But they don't actually have any effect on
getting bad mail delivered to recipients nor an effect on those
recipients. Bad actors try all sorts of stuff.
So pointing out what an attacker might or will do doesn't end the
argument. What matters is the /effect/ of their actions, not the theory
of their actions.
I suspect that very little -- if any -- of the current use of DMARC relies on an
end-user's address book.
It's definitely the case that there are popular email services doing
filtering/alerting based on addressbooks/known contacts, and I'm confident that
DMARC's ability to force use of cousin/alternative domains makes this more
effective.
I did not say that address books are not used in some filtering work.
I said that I doubted that it is relevant to DMARC use. Feel free to
document counter-examples.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
