Re: [dmarc-ietf] Is From spoofing an interoperability issue or not?

[Scott Kitterman <sklist@kitterman.com>]

On Monday, April 17, 2023 9:37:55 AM EDT Laura Atkins wrote:
> > On 17 Apr 2023, at 14:15, Scott Kitterman <sklist@kitterman.com> wrote:
> > 
> > On Monday, April 17, 2023 4:29:45 AM EDT Laura Atkins wrote:
> >> Reading through the various discussions about how to document the harm
> >> DMARC causes for general purpose domains, I started thinking.One way
> >> that a lot of major SaaS providers have chose to deal with DMARC is
> >> spoofing their customer’s in the 5322.from Comment string. There are
> >> numerous examples of this: Paypal, Docusign, Sage, Intuit are 4 big
> >> examples I can think of off the top of my head.
> >> 
> >> All of these companies send out financial or business mail on behalf of
> >> their customers, some of whom do use p=reject on their own domains. Some
> >> of
> >> them also use restrictive DMARC policies for this mail, others don’t.
> >> 
> >> Is this another issue we should document and make recommendations about?
> >> I
> >> was thinking along the line that transactional SaaS providers should
> >> fully
> >> support DMARC and should not allow companies using p=reject in their
> >> business mail to access the service?
> >> 
> >> I keep going back and forth that this is not an interoperability issue -
> >> the mail works fine even when the business is spoofed in the 5322.from
> >> comment string. But on a practical level it looks exactly like phishing
> >> mail because it’s financial (or contractual) docs from a particular
> >> company coming from a random domain. I keep ending up this isn’t an
> >> interoperability issue, it’s just an end run around DMARC and it’s not
> >> the
> >> IETF’s place to comment on that.
> >> 
> >> But I thought I’d bring the discussion up here to see if other folks had
> >> different opinions.
> > 
> > Many mailing lists do the same as part of their DMARC From re-writing
> > work-
> > around.
> > 
> > I think it's out of scope for DMARC.  DMARC is wired to 5322.from and not
> > the Comment string.
> 
> I apparently didn’t clearly express myself as both you and Michael
> misunderstood what I was saying.
> 
> Should the IETF make the interoperability recommendation that SaaS providers
> who send mail on behalf of companies support aligned authentication? That
> means custom SPF domains and custom DKIM signatures.
> 
> And if they can’t, then do we make a different recommendation regarding
> spoofed mail that evades a company’s DMARC policy?
> > The thing is, it's a comment string, so on what basis is any particular
> > comment good or bad?  That's a complicated question and I think we have
> > enough to do without trying to tackle this too.
> 
> I honestly wasn’t trying to bring up that discussion. I was more focused on
> ensuring SaaS companies can support DMARC. Many of them, even in the
> financial space, don’t currently do so.

OK.  The discussion of the 5322.From comment through me off, I guess.

I think there's probably room for the IETF to document Bext Current Practices 
(BCP) around DMARC usage.  I think it's a step beyond the interoperability 
discussion we need for the DMARCbis protocol document.  Assuming we think we 
know enough, we might consider that for additional WG scope after we have 
(essentially) completed the currently chartered work.

Scott K