On 1/5/2021 10:28 AM, Kurt Andersen (b) wrote:
> Because recipients often can’t see (or don’t pay attention to)
the domain
> name and the reputation system you postulate doesn’t exist.
OTOH, getting
> alignment avoids a restrictive policy that might be associated
with the
> original domain.
I think you're saying that I can always evade DMARC problems by
putting an
address I control on the From line and nobody will notice. That
would
mean that DMARC is useless.
If that's not what you're saying, could you clarify?
That is indeed the assertion - as long as you consider 97+% to be
"always" and interpret "nobody" in terms of real human actors
(excluding the automatons on this list) and discount the influence of
receiver-level reputation/filtering mechanisms. Personally, I think
those levels of rounding errors should not be ignored either for good
or evil. The formation of this working group and our initial
deliverables provides some level of concurrence with my personal
perspective.
From: header field rewriting demonstrates that DMARC is, indeed, trivial
to defeat (or rather, to route around.) Also, receiver filtering
engines are all that matter. Real-time actions by recipients are
demonstrably irrelevant to DMARC (and all other anti-abuse) utility.
DMARC has utility because a great deal of spam includes unauthorized use
of domain names that happen to support DMARC.
Some anti-abuse methods have inherent utility. They are useful even if
abusers seek to defeat the methods. Other methods have utility by
virtue of correlations with current behavior. They are useful now, but
merely require some effort by abusers to defeat (or route around.)
DMARC has the appearance of the former but is actually the latter.
d/
--
Dave Crocker
[email protected]
408.329.0791
Volunteer, Silicon Valley Chapter
American Red Cross
[email protected]
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
