Re: [dmarc-ietf] Email security beyond DMARC?

Ken Simpson <> Thu, 21 March 2019 17:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DD82413145F for <>; Thu, 21 Mar 2019 10:01:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vmrFwvo0fIAf for <>; Thu, 21 Mar 2019 10:01:34 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::32a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CD4E913147D for <>; Thu, 21 Mar 2019 10:01:26 -0700 (PDT)
Received: by with SMTP id c18so5999743otl.13 for <>; Thu, 21 Mar 2019 10:01:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Zq8cgI/fCbm0EdV9udWMyaQbzTkii6fSLuPQ4DrY7dA=; b=iIMf9EJgs5MfVZIx2szjk8MzkeOBHFhFWYoGkjRhPKvP1ZkRULWKJ0UZwMnMudoDoy pSFhC7T2Ib5fy+lopVQL1Iro907lDWfIw019zNnbz3OR971QHLAc37miDQWH5rPyvLLl SKh3iUh1egADYN2n10N0+LM8J4goFO+qc8PvA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Zq8cgI/fCbm0EdV9udWMyaQbzTkii6fSLuPQ4DrY7dA=; b=Ddu2IIZBfRgjkwn9eQc9eBwLJk2yf0SWg5tJrURsLdpjIZlbUPLYhI3YBCMrSKLaK3 utP0afhiAtgIk3ThRsR8c6Ikw+MyQ24eIc8fthPDPzxU/oN7tlBnjCyC4x9Pc+KfuCRq w+/IIXLUp7j/oJsfW53TmJEXu/1WbYAna3FyExEmImFoYcu0EOYcC7WIveIyIAIH7Xzd Cjh0G1KNGNeA0CWea0p1KX63XjQYla4DnD/A3DuN9Ku/fs7mYDg/tJOAdgIo1UjZ0HkJ sZkK2z6aeCJAq+GnwvSGSXm2XdN1dxKJuL5si1wClh0e+wX12nnIdk7PTEEC43XdlsEr oN7g==
X-Gm-Message-State: APjAAAVjDx8BhYWGSucGHfWiyDLRW5WtthVVZt+oU1WGtr2CAIQw6jxw BWB2E/HOKWrEzgi2lc4lfvsftg3x7iCw2NZHKcB28g==
X-Google-Smtp-Source: APXvYqwvICbdMGI9tt6MWnubxcO2gQk09M+OEL0CqpUKZhhx4p3mOyGGIA27xEWWgShLEZcfB0BEPrf8ssmT+LA6yLU=
X-Received: by 2002:a9d:7359:: with SMTP id l25mr3190240otk.189.1553187685743; Thu, 21 Mar 2019 10:01:25 -0700 (PDT)
MIME-Version: 1.0
References: <20190319184209.804E42010381DB@ary.qy> <> <alpine.OSX.2.21.1903201042010.79863@ary.qy> <> <alpine.OSX.2.21.1903211031070.83149@ary.qy>
In-Reply-To: <alpine.OSX.2.21.1903211031070.83149@ary.qy>
From: Ken Simpson <>
Date: Thu, 21 Mar 2019 10:00:49 -0700
Message-ID: <>
To: John R Levine <>
Cc: Dotzero <>, IETF DMARC WG <>
Content-Type: multipart/alternative; boundary="00000000000047565e05849db01b"
Archived-At: <>
Subject: Re: [dmarc-ietf] Email security beyond DMARC?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 21 Mar 2019 17:02:53 -0000

> > I'm going to have to disagree with you John. DMARC is about preventing
> > direct domain abuse. It does not specifically address phishing as the bad
> > guys can simply use cousin domains, homoglyphs, etc.
> Well, it's abount a subset of phishing.  It's surely more about phishing
> than about spam.

IMHO, by cutting out direct domain spoofing, DMARC makes it easier for
receivers to craft algorithms that spot impersonation attacks. Once you
have configured DMARC, receivers can build - for example - a machine
learning system that learns what your legitimate email looks like. They can
use that same system to identify messages that look like your legitimate
email but which do not actually originate from your domain.

If you want to detect domain impersonation or "brand" impersonation, you
first have to have a verifiable ground truth corpus. That is what DMARC