On Tue, Dec 7, 2021 at 3:54 PM Dotzero <[email protected]> wrote: > > Let us consider that DNS is hierarchical. A subdomain cannot exist unless > those responsible for the parent/organizational domain create it through > DNS. We know to some extent that a relationship exists between a domain and > it's subdomains. What can we know about the relationship between sister > domains? Basically nothing. By allowing sister domains to act as "aligned" > we enable a potential ly gaping security hole in various cases. In fact, > those cases where the abuse is most likely involve folks who are likely to > be unaware of or lacking understanding of email authentication and how it > works. > > Consider buildium.com, which provides property management software and > states " Every Buildium subscription comes with a custom subdomain - > *http://yoursubdomainhere.managebuilding.com > <http://yoursubdomainhere.managebuilding.com>*. Depending on your needs, > you may want to use another name when talking with clients, residents, > friends, and family." None of the users of these subdomains has a > relationship with each other besides purchasing services from a common > provider. John Levine and Scott Kitterman clearly see no opportunity for > abuse by ill intentioned people in a scenario like this. A bad person would > never use an SPF record from imreallynotabadguy.buildingmanagement.com to > send an email with a FROM of innocentcustomer.buildingmanagement.com in > anticipation of suckering those with relationships with innocentcustomer. > > Let's consider that there are still some ESPs who like to have > (particularly smaller) customers use subdomains on their platform for > various reasons. It might be that using subdomains from a common > organizational domain is easier to manage than using domains/subdomains > provided by the customer(s) or delegated by the customer(s). It might be > that the ESP believes that existing customers in this scenario can "lend" > reputation to new customers and/or dilute badness from a reputation > perspective. Again, this sort of situation can allow unrelated entities to > align and potentially get a DMARC pass through relaxed alignment which > allows for sister domains. > > Many hosting sites for wordpress and other basic websites offer the use of > subdomains as well. Again we might ask the question as to what the > relationship of these sister domains is to each other? Should one be able > to align and authenticate against it's siblings? Should an IETF standard > knowingly allow and enable potential malicious behavior? We know that "bad > guys" have been early adopters of email authentication. Anyone think there > aren't bad guys subscribed to this list and thinking about the > possibilities for abuse of this mechanism? > > > Why do aspf=s and adkim=s not mitigate the risks you're discussing here?
-- *Todd Herr * | Technical Director, Standards and Ecosystem *e:* [email protected] *m:* 703.220.4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
