Re: [dmarc-ietf] Rethinking DMARC for PSDs

["Douglas E. Foster" <fosterd@bayviewphysicians.com>]

Mr Levine brings up the valid point that there are a lot of mail filters 
with inadequate capabilities.   I determined that my two products have 
inexcusable weaknesses, so I went shopping.   
 I had only these rudimentary requirements:
  	IP filtering 	Reverse DNS filtering 	Multi-factor whitelisting or some 
other safe mechanism for handling SPF policy mistakes. 	DMARC policy 
enforcement 	A secure-email method for outbound messages with sensitive 
content 	No domain spoofing by the product that is supposed to protect from 
domain spoofing. 
 I was blown away when I discovered:
  	Products that could not do IP filtering. 	Products that could do DMARC 
enforcement but not Reverse DNS filtering, and the reverse. 	Vendors who 
had no idea what multi-factor whitelisting meant. 	High-end vendors who did 
domain spoofing in their secure-email solution.  (They have been notified.) 
   
 Along the way, I was referred to three industry-analyst reports, and was 
equally disappointed that the reports showed no evidence of a theoretical 
framework on which to judge vendor differences.  At least one analyst 
declared the industry "mature", which struck me as odd given the damage 
done by WannaCry and the obvious problems in the products I have been 
examining.
  
 I currently have exactly ONE vendor that is probably adequate, but I 
curtailed the discussion when I realized his costs were way higher than 
what I can interest management in spending.   Overall, it appears product 
vendors have no idea what is actually needed and why.
  
 Since bad email filters are the problem, why is there no IETF working 
group to define the expected behavior of email filters?    More 
importantly, can we start one NOW?
  
 I have been preparing to submit an email filter evaluation RFC as an 
individual, since this group seemed uninterested after an earlier post.   
But it would be better as a working group document, and it might become 
standards-worthy.
  
 Doug Foster
  

----------------------------------------
 From: "John Levine" <johnl@taugh.com>
Sent: Sunday, April 7, 2019 8:51 PM
To: dmarc@ietf.org
Cc: fosterd@bayviewphysicians.com
Subject: Re: [dmarc-ietf] Rethinking DMARC for PSDs   
In article <c588c5eeec224162bffd080693c703e1@bayviewphysicians.com> you 
write:
> The problem:
> Spammers use non-existent domains to achieve identity spoofing, such as
>tax.example.gov.uk
> This is primarily a reception problem, because many recipient mail 
filters
>are not equipped to block this type of fraud. ..

Right, and we can stop right there.

A decent spam filter will treat a nonexistent From: domain or envelope
bounce address as extremely suspicious and send the message into spam
folder purgatory. If someone's filters aren't doing that, it is
unlikely that they're paying much if any attention to DMARC, and no
amount of fiddling with DMARC will make any difference.

My mail server rejects anything with a non-existent bounce address at
SMTP time and I don't think it's ever rejected anything my users would
want.

The solution to this problem is for mail systems to fix their filters,
not to invent yet another mail-breaking hack that they won't use
anyway.

R's,
John