I regularly get reports from nore...@dmarc.yahoo.com, that are DKIM
signed by yahoo.com, on behalf of all the other yahoo ccTLDs and their
other domains.

The "Submitter" field in the subject identifies the domain the report is
from, and the attachment filename starts with this same domain as well.
(e.g. yahoo.no)

But how can I know that nore...@dmarc.yahoo.com speaks on behalf of
yahoo.no, aol.com, rocketmail.com, etc.?

2.5.2 Email, defines the attachment filename to start with "receiver",
the domain of the Mail Receiver, And that the subject shall include
"Submitter:", the domain of the report generator. It also says:

   Email streams carrying DMARC feedback data MUST conform
   to the DMARC mechanism, thereby resulting in an aligned
   "pass" (see Section 3.1). This practice minimizes the
   risk of report consumers processing fraudulent reports.

Presumably the domain in the From address should also align with the
identifier in the filename and the "Submitter:" part of the Subject.

That seems to be the only way to guard against dmarc@attacker.example
setting up DMARC and submitting fraudulent reports on behalf of any
other domain, is it not?

Is this mentioned someplace else, or do we have a defect?

If so, does it merit fixing, and how?

Maybe inject a sentence before the 'This practice ...' part of the
quoted text, above:

   Additionally, the Authenticated Identifier MUST also align
   with the stated "Submitter" in the subject, and the
   "receiver" part of the filename.


Daniel K.

_______________________________________________
dmarc mailing list -- dmarc@ietf.org
To unsubscribe send an email to dmarc-le...@ietf.org

Reply via email to