On Saturday, October 28, 2023 11:26:40 AM EDT Richard Clayton wrote: > In message <3316620.Pp0j0xxFaF@localhost>, Scott Kitterman > <skl...@kitterman.com> writes > > >What's your plan for when easily getting a DMARC pass due to bad SPF > >records doesn't work anymore, so the bad guys focus more on DKIM replay? > > At $DAYJOB$, DKIM replay is simply not an issue any more ... caching > DKIM values and blocking more than N emails with the same value (whilst > of course exempting mailing lists) has proved extremely effective for > several years now. > > Paying attention to the (sometimes inferred) age of a signature is also > important for reducing the opportunity for replay, viz: it would be a > Good Thing for senders to set appropriately short expire times.
I guess that works as long as N - 1 spoofed DMARC pass results is OK. I think not everyone has been so fortunate. I expect it will get more focus if cross- user forgery for SPF stops working as well. Scott K _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc