> -----Original Message----- > From: Dave Crocker <[email protected]> > Sent: 25 June 2020 16:29 > To: David I <[email protected]> > Cc: IETF DMARC WG <[email protected]> > Subject: Re: [dmarc-ietf] What if... Sender: > > On 6/25/2020 8:10 AM, David I wrote: > >> Why is it useful in the From:? Seriously. > > Because the claimed author is an important aspect of any kind of trust > calculation on an email, human or automated. So an aligned, authenticated > 'From' is a strong signal. > > 1. Signal to what and how is it used for filtering?
Some form of algorithm that filters or otherwise protects users. > 2. Why isn't an aligned Sender: just as strong? Because it doesn't represent the author, which is who the user trusts (this may be inferred by software eg through previous conversations, addressbook presence etc) > > > > why is DMARC's use of From: automatically better than > >> having DMARC use Sender:? > > Because the From field is used by software to understand where an email > came from, and apply UI, filters, and warnings. > > 1. "Warnings" have no reliable utility. Insofar as humans can circumvent them, sure, they're not 100% reliable. And there are well-designed ones, and not. But they are a useful tool for software developers to help their users when they don't have sufficient evidence to simply destroy suspicious email. > 2. UI behavior is what From: field alignment is breaking, given the > workarounds that MLMs have to do MUAs have lots of options for how they want to display and differentiate messages (eg mailing lists) and support users. I'd love to see more creativity in that space. > 3. Filtering engines use a wide array of information; there is nothing magical > about their use of From. Magical, no. A signal you can heavily weight and rely on, yes. > > Agreed. It's possible for bad actors to compromise mailboxes to bypass > current DMARC based filtering. So is DMARC pointless? No, because it > increases the cost and complexity of the attack, which is a positive thing. > > I think you missed my point. My point was that some of what attackers do > doesn't matter. It upsets us when we hear about their doing it, but it > doesn't > affect discoverability and it doesn't affect recipient behavior. We should > worry about their actions that actually have a bad effect, not worry about > actions we just don't like. If I understand, then we agree that the goal is to stop bad things happening, not be the protocol police. > >> So pointing out what an attacker might or will do doesn't end the > argument. > >> What matters is the /effect/ of their actions, not the theory of their > actions. > > The effect would be to phish people more successfully by evading the > current DMARC checks on From alignment and filters/detections based on > cousin domains. > > Your claim of 'successfully' means you have objective data substantiating the > successes. Please circulate it to us. Clearly I can't have data about the impact of implementing your proposal, but I believe the above is a reasonable inference given what we know about today's world. I think there is data out there showing that when current From-aligned DMARC is applied, that attempted spoofing of that domain drops (the inference being that it's because of DMARC From-aligned filtering). If not, I can probably find that kind of data. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]. All material is UK Crown Copyright © _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
