Perhaps you can clarify what you think DMARC is. Apparently a significant number of evaluators think that "DMARC Fail with p=reject always means unwanted mail". Or to use Michael Hammer's language, "DMARC Fail with p=reject means the domain owner wants it rejected so I will reject it." These are exactly the attitudes that cause us so much trouble because (a) DMARC Fail with p=reject does not mean that rejection is always the correct response, and (b) DMARC Fail with p=none is an important piece of information.
We have only two ways to block unwanted messages: Identify unwanted and malicious messages based on the sender, or based on the content. Impersonation interferes with the sender reputation assessment, so we know that attackers have an incentive to impersonate. Sender Authentication provides information about messages that MIGHT be impersonations because they are not authenticated. Fortunately, most messages can be authenticated. Doug On Wed, Jul 19, 2023 at 5:32 PM John Levine <[email protected]> wrote: > It appears that Barry Leiba <[email protected]> said: > >> - An attacker sends 10 messages that maliciously impersonates a > >> big bank. With help from DMARC p=reject, the evaluator blocks > >> them all. The attacker follows up with 10 messages that > >> maliciously impersonate a major university. The stupid > >> evaluator says, "p=none means no problem here". The message is > >> accepted and the user is harmed because the evaluator learned > >> nothing from blocking the successful attack. > > > >This is a useful point, and I think we should do something with it. > > Sorry, but I completely disagree. > > The interesting filtering data is that a bunch of unauthenticated mail > arrived from some source. As we have learned over and over, someone's > DMARC policy tells you nothing about the threat level or whether the > failure is an attack or a mailing list, only that someone decided for > whatever reason to publish p=reject. > > If a source sends a burst of unauthenticated mail, it could often be a > good idea to give that source a poor reputation. Or maybe you have a > reason to believe otherwise, e.g., it's been sending bursts of > unauthenticated mail for years, nobody's ever marked it as spam, > because it's some kind of courtesy forward. > > Note that you would do exactly the same thing if the burst of > unauthenticated university mail preceded the burst of bank mail. It's > the authentication failure that tells you that there may be a problem, > not the DMARC policy. > > Mail filtering is complicated, so much so that handling the signals is > more than a full time job at many mail systems. I expect that large > mail systems have their own ideas abou who's a bank, who's a > university, who's a public mail system, and so forth. You get exactly > none of that from DMARC. After all, yahoo is p=reject, gmail and > hotmail/outlook are p=none. > > I am so tired of people imagining that DMARC is more than it is. > > R's, > John > > _______________________________________________ > dmarc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
