Re: [dmarc-ietf] Is From spoofing an interoperability issue or not?

[Scott Kitterman <sklist@kitterman.com>]

On Monday, April 17, 2023 4:29:45 AM EDT Laura Atkins wrote:
> Reading through the various discussions about how to document the harm DMARC
> causes for general purpose domains, I started thinking.One way that a lot
> of major SaaS providers have chose to deal with DMARC is spoofing their
> customer’s in the 5322.from Comment string. There are numerous examples of
> this: Paypal, Docusign, Sage, Intuit are 4 big examples I can think of off
> the top of my head.
> 
> All of these companies send out financial or business mail on behalf of
> their customers, some of whom do use p=reject on their own domains. Some of
> them also use restrictive DMARC policies for this mail, others don’t.
> 
> Is this another issue we should document and make recommendations about? I
> was thinking along the line that transactional SaaS providers should fully
> support DMARC and should not allow companies using p=reject in their
> business mail to access the service?
> 
> I keep going back and forth that this is not an interoperability issue - the
> mail works fine even when the business is spoofed in the 5322.from comment
> string. But on a practical level it looks exactly like phishing mail
> because it’s financial (or contractual) docs from a particular company
> coming from a random domain. I keep ending up this isn’t an
> interoperability issue, it’s just an end run around DMARC and it’s not the
> IETF’s place to comment on that.
> 
> But I thought I’d bring the discussion up here to see if other folks had
> different opinions.

Many mailing lists do the same as part of their DMARC From re-writing work-
around.

I think it's out of scope for DMARC.  DMARC is wired to 5322.from and not the 
Comment string.

The thing is, it's a comment string, so on what basis is any particular 
comment good or bad?  That's a complicated question and I think we have enough 
to do without trying to tackle this too.

Scott K