IETF Logo Mail Archive

Re: [dmarc-ietf] DMARC alignment conflicts with RFC 5322 on the use of the From and Sender header fields

Dotzero <dotzero@gmail.com> Fri, 05 June 2020 05:40 UTC

Return-Path: <dotzero@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE6453A12B5 for <dmarc@ietfa.amsl.com>; Thu, 4 Jun 2020 22:40:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZPSotTKvBC35 for <dmarc@ietfa.amsl.com>; Thu, 4 Jun 2020 22:40:09 -0700 (PDT)
Received: from mail-wr1-x444.google.com (mail-wr1-x444.google.com [IPv6:2a00:1450:4864:20::444]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 116943A12AE for <dmarc@ietf.org>; Thu, 4 Jun 2020 22:39:51 -0700 (PDT)
Received: by mail-wr1-x444.google.com with SMTP id l11so8415937wru.0 for <dmarc@ietf.org>; Thu, 04 Jun 2020 22:39:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6KTrEChaWh87Fzy47F+iwxdxbpJB1OznV1wzgYzMf6w=; b=gF1X8XFxpu0MYXIdMq+yGbKsnTh25vqvNm8BV95QsyDXJsB2Kfz8h/KtJNJfBczviZ F6g51TE+2d/tqhL8OUzZfQWB9iUTbRvPT10grY9TpKFz7N/ZNhq642925eomLibX9y2c MkprS5+6aNRepQ9Ys3h26BpPxj146MWHoHfa/wnlI37gCNxA4gjGdlP2/vz3kdyYRk7D x87mtOOb873XQQ+uDQ2jfJLDhXsqqA4JCg+ztL5pitE1KwtcuQZgZqE3DijwMfvzPZTJ BhD3SgADKP7ocf0LHfWD1U90Z7F+m8KhUf7Nnfdb7rtg/ub4x3FSVpkNV3Mx5csp7y5j RXpw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6KTrEChaWh87Fzy47F+iwxdxbpJB1OznV1wzgYzMf6w=; b=g3FkiqC38VMMwK6sIZhcmeH0eIBTxgKDrsNEctl1dgBXw9PtXlioK0PcgiHx8swqDp AqqAf+0JFYvu0R69QyVFGWN9HHWxcbHBDrvL3KIpgKIhqfQXecE3yJSkywm79i/eguc6 0jY4qkmMWnbHJPPtCz5GbtWf6cFPm0Dehv22GmChKu7+Fi5tIM/XlGjffJdGDOlMC/0Q TPjzkBaH0fXwzxsyvyi21h8CJvmf+8SXDNtE6gxn3t6XF3AShi5F5QWG2ysMSc865Gqp dC9/EJyUUPKotcDn6Hylc//sYf5HPadZuCv09hLUHIxOTqY6TY9c6NjN86Eh0JuYiA+c NbMQ==
X-Gm-Message-State: AOAM531A5uOy3A/jExJsWjZ+ZE0UqMq/ot3OoN6N5yhjBVYhq8txA2xU vCqyNsVncLMVwGyH0Se+uyuq/I0y7G636rAGyuXmhGmZ3l8=
X-Google-Smtp-Source: ABdhPJxEWxPVsGZZ2E+EMY6ltdNFt8P2Ctx6C3oAUVI0gMwy94l1pXdO2YhtP+6IP1VHeKir4SBhUp4tGMG9Wf4plZs=
X-Received: by 2002:a5d:604b:: with SMTP id j11mr7730785wrt.193.1591335589422; Thu, 04 Jun 2020 22:39:49 -0700 (PDT)
MIME-Version: 1.0
References: <DM5PR0601MB367115AD49513EAF3953716CF68B0@DM5PR0601MB3671.namprd06.prod.outlook.com> <CAJ4XoYcDhiap3fMfCjUbjERDK+DH=Au+43Ycu_YR4dPRQmNKaA@mail.gmail.com> <114ec030-dbc9-bf7d-a453-e5cf3dd3f642@bluepopcorn.net>
In-Reply-To: <114ec030-dbc9-bf7d-a453-e5cf3dd3f642@bluepopcorn.net>
From: Dotzero <dotzero@gmail.com>
Date: Fri, 05 Jun 2020 01:39:37 -0400
Message-ID: <CAJ4XoYdt-8D65ajLLDGoNBqUB7+juWvWSdaO+PJPZpBbE6eeZg@mail.gmail.com>
To: Jim Fenton <fenton@bluepopcorn.net>
Cc: "dmarc@ietf.org" <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000086abba05a74fb0de"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/RNHhWpZ5hHn9NjiFk5kjl1wQQXk>
Subject: Re: [dmarc-ietf] DMARC alignment conflicts with RFC 5322 on the use of the From and Sender header fields
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jun 2020 05:40:12 -0000

On Fri, Jun 5, 2020 at 12:40 AM Jim Fenton <fenton@bluepopcorn.net> wrote:

> On 6/2/20 10:35 AM, Dotzero wrote:
>
>
> As part of the original DMARC team, the goal was to make clear whether the
> email was authorized by the domain being used, hence the reliance on SPF
> and DKIM. These are clearly under the domain owner/administrator's control
> to the extent they choose to exercise that control. There was much
> discussion in the community at the time to use thei= field to enable more
> granular signing. it never gained traction. Because the intent was to
> protect end users from fake emails purporting to be from (primarily)
> commercial domains such as financial institutions, greeting card companies,
> etc., the Sender field was not a significant issue. Also, when the Sender
> is in the same domain as the From, there is no DMARC issue.
>
>
> I'm all confused about why alignment matters. Back around the time DKIM
> was standardized, we were concerned about phishing attacks from look-alike
> domains, i.e., substitutions of 1 for l, that might be registered by
> attackers and sign their messages with valid DKIM signatures.
>
> But now a lot of people don't see anything but the Friendly Name; the
> email address isn't displayed at all. For that (apparently increasing)
> proportion of users, the From or Sender addresses aren't visible; the
> attacker might as well use any Friendly Name of their choosing with any
> domain they can sign for there. So they get DMARC alignment, but what has
> it accomplished?
>
> -Jim
>

The goal of DMARC was (and is) to mitigate direct domain abuse. Nothing
more and nothing less. It helps receiving systems identify a (correctly)
participating domain's mail. That is why a DMARC policy is often described
as a sending domain's request and local policy is so important (and can
override that request).

For attackers that deploy DMARC it simply means that they are self
identifying their malicious messages as theirs.

Much has incorrectly been attributed to SPF/DKIM/DMARC. For example: "It
stops spam" - It does not. "It stops phishing" - It does not. The modest
goal is to stop direct domain abuse. It can do this remarkably well. On the
other hand it creates an incentive for attackers to compromise
participating domains. This has led to the long standing discussion (more
lately lapsed) between Dave Crocker and my self about reputation. My
position is that long term, reputation systems are of limited value because
of domain compromise or even sending policy change. To put it another way,
"What have you done to me today?". Dave has in the past had greater faith
in reputation.

For Sending domains, SPF/DKIM/DMARC is only one set of tools in protecting
their brand from abuse. It protects end users from abuse. In fact, in many
cases the individuals most susceptible to falling prey to such abuse may
not even be customers of that sending domain. No, that greeting card you
received isn't legit (Nobody loves you). No, that retailer isn't giving you
a $200 gift card. This is why other tools like takedowns are so important
and why the removal of registrant information from domain registrations has
enabled abusers.

Just a few thoughts.

Michael Hammeer

v2.23.0 | Report a Bug | By Email