On Thu 25/Jun/2020 15:42:35 +0200 Dave Crocker wrote: > On 6/25/2020 3:14 AM, Alessandro Vesely wrote: >> Frequently, an inbound message has one or more valid DKIM signatures, >> and/or passes SPF, yet it fails DMARC; that is, the authenticated >> domain(s) are not aligned with From:. Now it's obvious that any of >> those authenticated domain(s) could as well have set a Sender: >> pointing to itself. Hence, the net effect is equivalent to dropping >> the alignment requirement. > > It's not. Remember that the From: field is typically also the Sender: > field.
In a DMARC/sender scenario, From: and Sender: are aligned in direct mail flows only. Any intermediate actor, one, say, which adds an ARC set would also set Sender:. Indeed, DMARC/sender would likely get the same level of usability as ARC; that is, require an omniscient mailbox provider in order to effectively filter based on it. > Again: The actual semantics of DMARC have to do with the > organization's domain, not the author's mailbox. So, really, DMARC > concerns an operational identifier, not a content creator. > > The suggestion, therefore, is to retain alignment, but move it to a > field that has to do with operations, not content. Exactly. While From: is linked to the semantic content, Sender: can be altered scot-free by any intermediate operator. All the policies, the aspf and adkim settings that an originator had devised will be gone. So will filtering by paramount domains or TLDs. All those moments will be lost in time, like tears in rain... >>>> Sender: has a display name and an address, just like From:. Don't we >>>> risk to double phishing opportunities? >>>> >>>> If Sender: and From: domains disagree, are both going to get reports? >>> Why would there be a DMARC report on From:? >> Reports are supposed to be consumed by the originator. > > You didn't actually answer my question. > > Let's try a more complete question: > > If DMARC reports refer to the Sender: aligned domain, and reports > refer to that, why is a report on the From: field also required? An originator needs to check whether the DKIM signatures they apply are robust enough to pass through indirect mail flows. If you consider the originator's mark unimportant, perhaps because the last hop's signature suffices, you're reinventing ARC. Best Ale -- _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
