Axioms: (1) Most lists are legitimate (2) Mailing list posts have characteristics that make them readily distinguishable from other traffic.
Charter Goal: The protocol will cause Evaluators to accept mailing list posts without From munging (as long as the list is a legitimate operator) The first goal immediately produces these derived goals: (A) The protocol will cause Evaluators to accept mailing list From addresses because the list has authenticated them as correct or (B) The protocol will cause Evaluators to become indifferent to threats from malicious impersonation. Of course, option (B) is not really a valid option, so we encounter the next problem: - The protocol provides a single technique for detecting and blocking malicious impersonation: DMARC FAIL with p=REJECT. - However, the protocol also specifies that all list participating domains SHOULD NOT use p=reject. - Therefore, the protocol provides no mechanism for the list to authenticate incoming messages. Withoutauthentication, the mailing list becomes a special case of an open relay. ARC to the Rescue? DMARCbis does not yet mention ARC, but let's bring it into the analysis. We assume that ARC results are trusted because lists are assumed to be legitimate until proven otherwise. ARC permits the mailing list to document messages received with DMARC PASS. An evaluator can use that information to conclude that messages which had DMARC PASS are not malicious impersonations. But for messages with DMARC FAIL with p=NONE or DMARC No Policy, authentic traffic cannot be distinguished from fraudulent traffic because the protocol has not provided a way to do so. A rational evaluator will treat the messages similar to messages received from an open relay. Ergo, AOL/YAHOO/VERIZON have the correct security policy because mailing list traffic cannot be made free of malicious impersonation. This is not the conclusion that we were supposed to produce, so I don't see how we can be done with our protocol. Doug Foster
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
