On Wed, Sep 13, 2023 at 6:01 PM Douglas Foster < [email protected]> wrote:
> Let's analyze the problem Jim raises, using it to answer Hector's question > about where responsibility lies. > > Our assumed reference model is a fully automated, by-the-spec > implementation of RFC 7489. In particular, this means that: > - when p=none, unauthenticated messages are never obstructed, for fear of > hindering a wanted message > - when p=reject, unauthenticated messages are never allowed, in the blind > faith that such messages are always unwanted > - when p=quarantine, automation will break down, so the policy is > recategorized as either none or reject. > > This raises a coverage problem. A huge volume of traffic will not be > protected by Sender Authentication, so the evaluator becomes entierly > dependent upon content filtering to protect himself from attacks that > impersonate unprotected domains. In the unlikely case that a content > filtering implementation is sufficient for non-DMARC domains, it is likely > to be sufficient for DMARC domains also, making DMARC unnecessary. > I don't follow the logic here. Both the DMARC verdict about a message and the result of content filtering are, as I understand it, typically weighted inputs to a final disposition decision, even when that DMARC result is effectively a shrug. If the underlying theme here is a need for ultimate determinism, I think by now we've learned that's a fool's errand. The decision machine is far too complex, and making it comprehensive requires enormous investment that not many operators can afford to make. The coverage problem is aggravated if we assume rational attackers. With > a plethora of domains available for impersonation, attackers are least > likely to use domains that are protected with p=reject. Therefore the > reference model implementation protects an evaluator where attacks are > least likely, and fails to protect an evaluator where attacks are most > likely. > So you're saying DMARC fails to protect domains that don't set "p=reject"? That claim has the appearance of a tautology. The problem is the reference model. DMARC is not amenable or appropriate > using a fully-automated implementation. > I don't believe it has ever been claimed to be such, nor do I believe there is an illusion that this is even possible. If the issue is that the document under development claims otherwise, that's something that deserves attention. > Domain owner policies of "p=none" or "no policy" SHOULD NOT cause the > evaluator to ignore Sender Authentication considerations. > Does any document, published or under development, assert otherwise? > Since any unauthenticated message carries risk of an impersonation attack, > regardless of DMARC policy, every unauthenticated message should be > assessed for impersonation risk. > Certainly, but haven't we already established this? -MSK, participating
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
