Glad you are seeing DMARC benefits. I suggest a full set of management statistics should be based on 100 of messages, and include:
% blocked by reputation % blocked by DMARC Fail+Reject % Authenticated by DMARC % Authenticated by local policy % Not authenticated "Not Authenticated" is an interim result that begs for review. As you work the Not Authenticated pool, senders will migrate to "blocked by reputation" or "authenticated by local policy" The review process will expose both unwanted impersonators and unwanted non-impersonators, with both moving into the "blocked by reputation" bucket. The Not Authenticated number should decrease steadily and can move into the high 90% range pretty quickly. "Blocked by DMARC Fail+Reject" is also an interim result that should converge toward zeros. Malicious senders should move to "blocked by reputation" and acceptable sources such as mailing lists should move to "Authenticated by Local Policy". Similarly, reviews of content filtering should move malicious senders into the "blocked by reputation" bucket, and may move some senders into a whitelist. Over time, the percentage of messages blocked by content filtering should decrease, because both sender authentication and content filtering are converting blocked messages into blocked senders. The statistic will reverse direction when new content filtering strategies expose previously-undetected malicious senders. Doug Foster On Wed, Sep 13, 2023, 9:32 PM Richard Clayton <rich...@highwayman.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > In message <CAH48ZfyQzzoKkefEm9M7AQfLAxM+WcanPrzB_xMxRMu- > czy...@mail.gmail.com>, Douglas Foster <dougfoster.emailstandards@gmail. > com> writes > > > The coverage problem is aggravated if we assume rational attackers. > > With a plethora of domains available for impersonation, attackers > > are least likely to use domains that are protected with p=reject. > > you have grasped it ... the rational attackers do not impersonate the > protected domains, and the irrational attackers are blocked when they > do; hence the domain is protected and users are not misled > > > Therefore the reference model implementation protects an evaluator > > where attacks are least likely, and fails to protect an evaluator > > where attacks are most likely. > > however DMARC protects end users who might act on emails that were > spoofed to be from the domain that has been protected > > Ian Levy (then of NCSC here in the UK) in "Active Cyber Defence - One > Year On" reported > > We have seen the number of messages spoofed from an @gov.uk address > (for example, taxref...@gov.uk) fall consistently over 2017, > suggesting that criminals are moving away from using them as fewer > and fewer of them are delivered to end users. > > Across the 555 public sector email domains reporting to Mail Check, > we are seeing an average of 44.1 million messages a month which > fail verification, with a peak of 78.8 million in June. Of those, > an average of 4.5 million are not delivered to the end users. The > peak in June saw 30.3 million spoofed messages not delivered to end > users. > > from which you will see that there are were a number of irrational > attackers, but that the rational ones now found their task harder > > - -- > richard Richard Clayton > > Those who would give up essential Liberty, to purchase a little temporary > Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 > > -----BEGIN PGP SIGNATURE----- > Version: PGPsdk version 1.7.1 > > iQA/AwUBZQJiO92nQQHFxEViEQIQ/wCg3bMOOkwzlALOCiqSeyYat37sLPsAoMmY > PQmhq6x7U/NYsa9/qa0geqQO > =cwUs > -----END PGP SIGNATURE----- > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
