Re: [dmarc-ietf] Email security beyond DMARC?

"Doug Foster" <> Thu, 21 March 2019 18:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 467D6131580 for <>; Thu, 21 Mar 2019 11:36:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UQDCKhr1w07r for <>; Thu, 21 Mar 2019 11:36:15 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 77F1F13157B for <>; Thu, 21 Mar 2019 11:36:15 -0700 (PDT)
X-ASG-Debug-ID: 1553193373-0990574bec948c0001-K2EkT1
Received: from ( []) by with ESMTP id A1ngQmtVXqWOA7wj (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NO); Thu, 21 Mar 2019 14:36:13 -0400 (EDT)
X-ASG-Whitelist: Client
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s1025; h=content-type:mime-version:message-id:date:subject:to:from; bh=3tvAyoe10D/k1YqZmWajsZQfbtLZAWKpD3+hxfsRqRM=; b=SFnypvOfAlYRdZC1y2T3h8SZT1ySAKuvqmIqdUKXUuqvvLcy1919C8Y6n0g0YCKLS A6Aqqj3eePiXU7vqkkTUw3ywGtupQZXtZYDG2OZy8EPwZV9vXMdpRJQH0W2O2hOUB oeBNKUuabxiYt5/lDsm4R1TI+wbRVaaHCTfnaie20=
Received: from MSA189 ( []) by with SMTP (version=TLS\Tls12 cipher=Aes256 bits=256); Thu, 21 Mar 2019 14:36:05 -0400
From: "Doug Foster" <>
To: "'Ken Simpson'" <>, "'John R Levine'" <>
Cc: "'IETF DMARC WG'" <>, "'Dotzero'" <>
References: <20190319184209.804E42010381DB@ary.qy> <> <alpine.OSX.2.21.1903201042010.79863@ary.qy> <> <alpine.OSX.2.21.1903211031070.83149@ary.qy> <>
In-Reply-To: <>
Date: Thu, 21 Mar 2019 14:36:04 -0400
X-ASG-Orig-Subj: RE: [dmarc-ietf] Email security beyond DMARC?
Message-ID: <002901d4e014$f0b50570$d21f1050$>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_002A_01D4DFF3.69A56140"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQE6O+S0HJlyLiYHqbQiq+xXXaEBHALEYuj6AsdeCWcB1qzo1wGfJ1scAdfzHram9OQMQA==
Content-Language: en-us
X-Exim-Id: 002901d4e014$f0b50570$d21f1050$
X-Barracuda-Start-Time: 1553193373
X-Barracuda-Encrypted: ECDHE-RSA-AES256-SHA384
X-Barracuda-BRTS-Status: 1
X-Virus-Scanned: by bsmtpd at
X-Barracuda-Scan-Msg-Size: 11994
Archived-At: <>
Subject: Re: [dmarc-ietf] Email security beyond DMARC?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 21 Mar 2019 18:38:59 -0000

I am all for anything that cuts unwanted email.   Not sure of the need to distinguish between spam and phishing.


I am assuming that I am the only one in this group not using DMARC.   You heard my problems with SPF.  


What do you do for SPF Exceptions?

·         We have never seen a legitimate sender who needed an exception?

·         We whitelist the source IP address and trust that it will only be used for appropriate domains?

·         We whitelist the sender domain and hope it will never be spoofed?

·         Something else?


Also, how do you handle SPF non-pass:   Neutral, Softfail, Syntax errors,  or  Excessive nesting


Do you handle SPF any differently between senders with DMARC enforcement and those without?


Doug Foster



From: dmarc [] On Behalf Of Ken Simpson
Sent: Thursday, March 21, 2019 1:01 PM
To: John R Levine
Cc: IETF DMARC WG; Dotzero
Subject: Re: [dmarc-ietf] Email security beyond DMARC?


> I'm going to have to disagree with you John. DMARC is about preventing
> direct domain abuse. It does not specifically address phishing as the bad
> guys can simply use cousin domains, homoglyphs, etc.

Well, it's abount a subset of phishing.  It's surely more about phishing 
than about spam.


IMHO, by cutting out direct domain spoofing, DMARC makes it easier for receivers to craft algorithms that spot impersonation attacks. Once you have configured DMARC, receivers can build - for example - a machine learning system that learns what your legitimate email looks like. They can use that same system to identify messages that look like your legitimate email but which do not actually originate from your domain.


If you want to detect domain impersonation or "brand" impersonation, you first have to have a verifiable ground truth corpus. That is what DMARC offers.