Re: [dmarc-ietf] Header Rewriting

[Laura Atkins <laura@wordtothewise.com>]

> On 6 Jan 2021, at 12:29, Douglas Foster <dougfoster.emailstandards@gmail.com> wrote:
> 
> I am no fan of header rewrite, but...
> 
> If you are going to talk about "Trust Indicators", we need to define terms, which has not been done.   Here are my definitions:
> - The From header is an Identity Assertion.
> - DMARC is an Identity Verification technique.
> - A text message saying, "This message verified by DMARC", is a Trust Indicator.
> My definitions are consistent with the way that that one study used a trust indicator.   Using these definitions, From rewrite has nothing to do with Trust Indicator research.  If anyone wants to assert different definitions, please get them on the table.
> 
> The fact that users complain about From rewrite is proof that they look at the information.    This is because it is an Identity Assertion, not a Trust Indicator.

The header rewriting being proposed - that is header rewriting by the ESP so that the messages that go through their system are rewritten to point to the ESP and not the author of the message - means that the identity assertion is disconnected from the context of a message.

Want to know what mail goes through ESPs? Bank mail, social media mail, marketing mail. Billions of emails a day go through ESPs that you have and have not heard of. 

The proposal at issue is that these ESPs be allowed to rewrite the From  address any message they handle to point to an email address they control. This disconnects the identity in the 5322.from address from the actual sender of the message. 

Most users may know who constantcontact are or mailchimp because they advertise widely. Some might have heard of GoDaddy but do you know what the company name of the GoDaddy ESP is? I don’t off the top of my head. 

> I accept that actual Trust Indicators have a small effect, but rounding down  to zero seems like an overstatement.   When fighting malware, I will take all the help that I can get, even small help.

And now we have a malware company that rewrites headers to point to a domain they own and it passes DMARC and is given a Trust Indicator. Recipients are used to seeing domains they don’t know or understand send trusted mail from their bank, or their girl scout troop, or their social media company. They have no reason to distrust the unfamiliar identity assertion in the from address. 

> Lots of organizations use trust indicators and lots of organizations use DMARC for validating the From address.  Message annotation has gone up exactly because many MUAs are making the From address visible only on request.   Common tag lines are now of the form:  "This message is from an external source, so be careful."   I don't see that it is our job to tell domain owners that they are wrong,

This has nothing to do with header rewriting at all, which is the topic at hand. 

> Domain administrators are within their rights to block any incoming message for any reason.   Users routinely work with their domain administrators to ensure that the messages that they want get accepted and messages that they do not want get blocked.    If users and domain administrators cannot solve their differences, the user can communicate using a different domain.  If DMARC produces false positives that cannot be resolved by this process, we would do well to ask why.

Header rewriting doesn’t solve false positives, it increases the chances of them. Header rewriting for commercial messages by ESPs means that folks attempting to masquerade as a legitimate company have a RFC recommended way to evade DMARC and pretend to be the company they’re attacking. 

This isn’t random speculation, this is what is going to happen. We've spent the last 20 years watching spammers and phishers do everything they can to get mail out. If the DMARC RFC says ‘ESPs should rewrite headers to avoid DMARC policies on mail going through the ESP’ then we’ve just made DMARC utterly worthless. We’ve also set up every company that is currently using DMARC p=reject to be attacked in ways they cannot tract. 

> I see no relevance between the EV experience and DMARC.   EV is an identity verification technique, but it lacked a policy mechanism.   As a website user, I have no way of knowing whether a particular website MUST have an EV certificate or not.   If such a policy mechanism existed, it would have been automated and the site would be blocked.   DMARC has a policy mechanism, and it has been automated, so messages are blocked.

The whole point here is that header rewriting evades the policy mechanism of DMARC so that messages aren’t blocked.

> Forwarding hides information that the email filter needs to make a correct decision.   Header rewrite hides the problem, but does not solve it.   When we get the automation right, predicting user behavior will not be necessary.

You’re going to need to provide evidence this is the case.

laura

-- 
Having an Email Crisis?  We can help! 800 823-9674 

Laura Atkins
Word to the Wise
laura@wordtothewise.com
(650) 437-0741		

Email Delivery Blog: https://wordtothewise.com/blog