On Mon, Aug 17, 2020 at 6:24 AM Laura Atkins <[email protected]> wrote:
> > > The DMARC proponents have asserted that DMARC prevents domain specific > spoofing and phishing. The amount of harm DMARC authentication has caused, > however, seems disproportional to this small benefit. Phishing is still > happening using cousin domains (and even random domains). Departments > inside companies avoid DMARC mandates buy buying cousin and “campaign > specific” domains which trains users to be phishing targets for those > domains. Companies have tried to cut down on this by saying DMARC must be > done for all those domains as well. Unfortunately, those “from above” > decrees have often created more problems than they solved. > > Mailing lists have coped by rewriting from addresses, but that has caused > a lot of issues. Two of the big ones are members can no longer search for > “mail from this list member” and cannot easily create filters acting on > mail from other participants. > Well said (I liked the poetic indentation too) The fact is that DMARC has disrupted the flow of ordinary legitimate email. Actors not involved or interested in DMARC have had to spend time and money developing ways to work around DMARC in order to keep mailing lists and forwarding working, or else they have had to spend time and money on the alternative of informing their customers that legitimate practices they have done for years no longer work reliably and have to be discontinued. Adding more complexity does not make a broken thing less broken. I think the proposed standard should simply spell out in plain words that the purpose of DMARC is to protect transactional mail, e.g. about bank and credit accounts or purchase confirmations, and that it is not for mail from ordinary end users. Given that I think more sending systems would be willing to publish p=reject and more receiving systems would be willing to honor it. It won't be the end of spoofs, but it would reduce the disruption to people outside the DMARC club. --- Joseph Brennan
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
