As part of the original DMARC team and having worked with anti-abuse for a long time at scale for a large set of websites, I can speak to my motivation. It's not really about defending brand identity. The data shows (although it is not mine to share) that end users will click on anything based on the right social engineering. Love, money, etc. are powerful motivators. The first thing that DMARC enables is for a brand/domain to signal to validators/receivers that the domain has control of it's mail streams and is identifying those mail streams using the combination of SPF/DKIM/DMARC. This enables receivers to process those mail streams with a certain amount of confidence. This leaves open the question of when good domains go bad but that falls into the realm of local policy on th part of the receiver. I think anyone who makes an assertion about "DMARC policy" needs.to remember that at best it is a request to validators/receivers.
Yes, the issues of cousin domains, homoglyphs, etc. are thrown out there as reasons why DMARC is "irrelevant" to solving problems such as spam or phishing. It doesn't solve spam but it does have an impact on phishing, if only to push the bad guys to "push reality". If I get a phishing email from a bank that is not my own, I as an end user am less likely to fall for that particular phishing scheme. It makes it easier for validators/receivers to differentiate real from Memorex. It's also important to recognize that the environment isn't static. The bad guys are always thinking up new approaches as the old/currnt ones yield declining results. This evolving context is sometimes brandished against DMARC as an indicator that it isn't useful. My experience with a number of brands/domains that were aggressive in implementing SPF/DKIM/DMARC as well as other measures, we were able to drive down abuse against those brands/domains by over 95%. Did the bad guys continue to test both external abuse as well as probe for weaknesses that would enable abuse through the systems? Absolutely. Did they move on to other brands/domains to abuse? Absolutely. When Jim asks the question "What problem are we trying to solve?", perhaps the prior question should be "Who are we?". Michael Hammer On Wed, Jul 15, 2020 at 8:15 PM Jim Fenton <[email protected]> wrote: > Unburying this from a different thread. > > I'm really struggling to understand what problem(s) DMARC is trying to > solve. The most common answer I have heard says something about > "defending brand identity", which is a marketing, not a technical > consideration. > > IMO we need a threat analysis, ala RFC 4686 or RFC 5016, to define the > technical requirements. I am NOT volunteering to do this. > > -Jim > > _______________________________________________ > dmarc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
