Re: [dmarc-ietf] Is From spoofing an interoperability issue or not?

[Laura Atkins <laura@wordtothewise.com>]

> On 17 Apr 2023, at 14:15, Scott Kitterman <sklist@kitterman.com> wrote:
> 
> On Monday, April 17, 2023 4:29:45 AM EDT Laura Atkins wrote:
>> Reading through the various discussions about how to document the harm DMARC
>> causes for general purpose domains, I started thinking.One way that a lot
>> of major SaaS providers have chose to deal with DMARC is spoofing their
>> customer’s in the 5322.from Comment string. There are numerous examples of
>> this: Paypal, Docusign, Sage, Intuit are 4 big examples I can think of off
>> the top of my head.
>> 
>> All of these companies send out financial or business mail on behalf of
>> their customers, some of whom do use p=reject on their own domains. Some of
>> them also use restrictive DMARC policies for this mail, others don’t.
>> 
>> Is this another issue we should document and make recommendations about? I
>> was thinking along the line that transactional SaaS providers should fully
>> support DMARC and should not allow companies using p=reject in their
>> business mail to access the service?
>> 
>> I keep going back and forth that this is not an interoperability issue - the
>> mail works fine even when the business is spoofed in the 5322.from comment
>> string. But on a practical level it looks exactly like phishing mail
>> because it’s financial (or contractual) docs from a particular company
>> coming from a random domain. I keep ending up this isn’t an
>> interoperability issue, it’s just an end run around DMARC and it’s not the
>> IETF’s place to comment on that.
>> 
>> But I thought I’d bring the discussion up here to see if other folks had
>> different opinions.
> 
> Many mailing lists do the same as part of their DMARC From re-writing work-
> around.
> 
> I think it's out of scope for DMARC.  DMARC is wired to 5322.from and not the 
> Comment string.

I apparently didn’t clearly express myself as both you and Michael misunderstood what I was saying. 

Should the IETF make the interoperability recommendation that SaaS providers who send mail on behalf of companies support aligned authentication? That means custom SPF domains and custom DKIM signatures. 

And if they can’t, then do we make a different recommendation regarding spoofed mail that evades a company’s DMARC policy?

> The thing is, it's a comment string, so on what basis is any particular 
> comment good or bad?  That's a complicated question and I think we have enough 
> to do without trying to tackle this too.

I honestly wasn’t trying to bring up that discussion. I was more focused on ensuring SaaS companies can support DMARC. Many of them, even in the financial space, don’t currently do so. 

laura

-- 
The Delivery Experts

Laura Atkins
Word to the Wise
laura@wordtothewise.com		

Email Delivery Blog: http://wordtothewise.com/blog