Re: [dmarc-ietf] DMARC is designed to break mail, Example of Indirect Mail Flow Breakage with p=reject?
Dotzero <dotzero@gmail.com> Thu, 13 April 2023 16:30 UTC
Return-Path: <dotzero@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32EC3C14CE4C for <dmarc@ietfa.amsl.com>; Thu, 13 Apr 2023 09:30:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MjKnY7gORwLu for <dmarc@ietfa.amsl.com>; Thu, 13 Apr 2023 09:30:51 -0700 (PDT)
Received: from mail-ua1-x929.google.com (mail-ua1-x929.google.com [IPv6:2607:f8b0:4864:20::929]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC0C5C14CE4A for <dmarc@ietf.org>; Thu, 13 Apr 2023 09:30:51 -0700 (PDT)
Received: by mail-ua1-x929.google.com with SMTP id f32so10811295uad.0 for <dmarc@ietf.org>; Thu, 13 Apr 2023 09:30:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681403450; x=1683995450; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7f6pIknuz9RXAl21wA7Cccw/QhO0vdcFmzm+6xhYdSQ=; b=KRF9H0/grCSkqvhBNJeMF5c16dd92vAEWB6C/tgf72u2S0lVy/RH1nzAsxADCwN/2S lHB7nHP9Jt++atzJ9zvuwIsGZOoLlejdQlFgW/ksYs7kT3oWOHASrKfs//VIiRwLJVEl GXnBG1qeGxbHblAFvdhqf5YIE3VfdrKGEWG76pFVeiKNi3aspb7MLHe0jitVQLsCMPGT oiIBGEgE2g4qTvY7/1KhG7kXdvGPIUL9R/rDVqBnQAWCOE9UkyOTLBkI567lnnIEkPa4 auXRaHkcNABrV0l2OXh/SFw0ad7w9SkPMkeUWhg8vhiIADIDcSXInY25m+jM/N9Vm09q ruWg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681403450; x=1683995450; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7f6pIknuz9RXAl21wA7Cccw/QhO0vdcFmzm+6xhYdSQ=; b=C90sHDrzi3ki9YkLqKECgHXBHOtGw0CPW/I1wmR5+FNswvuWp8q0Fn5v//gajLZpVf rTkGrByX+VsW8NBEznpsnAEIluKkIekclxm1+5aIWvbKRanuV5UJbGzJ43vUSZnr7vhi dvkEcoESTYO7MJ8Rc5Lgx1jbrCCYcf9bS4q4N+Vmvo28/KLEEfT/oTeXnzsaKoWEH69y 8m5AwkZlFQPBbbqH2EGpz+X2Y3bpz038PUEqxynfgpU26vsMZXCT6iIrofzRep+G6kd9 9Kfe8D5kw559ggF2T2M/v1iIa4F7uwdu7Xkr41GK4RTrd2kKjLIJlRHtb/gks7REg4uO KSVg==
X-Gm-Message-State: AAQBX9c3oosKWbAQ2AwiShvB/l/tjiDS9TURl8vM66hC9U+fOUKGnChV tzI3DmKCteeF9fj18kMMoPJk7ANnCNqldtsVMd1t7CZQXBQ=
X-Google-Smtp-Source: AKy350ZJhXp51kvmINt2HEeaD1yEtuiiNyOQCeap4McXuvlyUMrzrD2d9zY2Y1D/HPD2WOjXJh7ugqTDpqhCNw62ITU=
X-Received: by 2002:a9f:309a:0:b0:772:1980:ee09 with SMTP id j26-20020a9f309a000000b007721980ee09mr1660610uab.1.1681403450379; Thu, 13 Apr 2023 09:30:50 -0700 (PDT)
MIME-Version: 1.0
References: <20230408135613.C3E1CBC81C2A@ary.qy> <48D13F81-6022-45F8-AE56-20474E68BAA1@marmot-tech.com> <c374e371-4560-9cb5-138d-09a3ef352bbd@taugh.com>
In-Reply-To: <c374e371-4560-9cb5-138d-09a3ef352bbd@taugh.com>
From: Dotzero <dotzero@gmail.com>
Date: Thu, 13 Apr 2023 12:30:39 -0400
Message-ID: <CAJ4XoYdTNtXEMS8e1_NkquHpf=3PbpTpuduW27VcUL=v_pWicQ@mail.gmail.com>
To: John R Levine <johnl@taugh.com>
Cc: Neil Anuskiewicz <neil@marmot-tech.com>, dmarc@ietf.org
Content-Type: multipart/alternative; boundary="00000000000062537705f93a3f6e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/mRpBfYQ5iknfeFr8whHDnoxQ5kw>
Subject: Re: [dmarc-ietf] DMARC is designed to break mail, Example of Indirect Mail Flow Breakage with p=reject?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Apr 2023 16:30:52 -0000
On Wed, Apr 12, 2023 at 9:41 AM John R Levine <johnl@taugh.com> wrote: > On Tue, 11 Apr 2023, Neil Anuskiewicz wrote: > > If DMARC can protect domains from spoofing which I believe ends up > > costing over $14 billion per year. Forget about the $14 billion and > > think how this crime spree affects people’s view .... > > But it obviously can't do that, and what it does do happens at > considerable cost. > The claim that DMARC protects against spoofing has never been made by the originators of DMARC. We have always been careful that it only addresses direct domain abuse. > > I don't know where that $14B number came from but I am reasonably sure > someone pulled it out of his, er, hat. WHen people talk abbout > "spoofing", they might mean exact domain impersonation or they might mean > lookalikes, or as likely as not mail where the body impersonates someone > and the From address is totally unrelated since, as Dave Crocker often > reminds us, most users don't look at the return address and a lot of mail > software doesn't even show it. DMARC only addresses one modest part of > that. > > If you are someone like Paypal or a big bank, and you have full control > over all the routes of your mail, AND IT DOES NOT MATTER IF YOUR MAIL GETS > LOST, p=reject makes sense. The farther from that you are, the less sense > it makes and the higher the costs you impose on other people. People > chronically forget the capitalized part when thinking about the tradeoffs. > Nobody has full control over all the routes email will take. How does the emitting domain know that a recipient hasn't set up forwarding from one account to another or that a recipient address isn't an exploder or alias representing multiple recipients at multiple domains? It also isn't that " IT DOES NOT MATTER IF YOUR MAIL GETS LOST". It matters but there is a calculus regarding the tradeoffs of a very small percentage (in the case of my former a very small fraction of a percent) of email not getting delivered vs the damage caused to recipients of malicious emails involving direct domain abuse. In one example of direct domain abuse, the malicious actors copied and pasted from real transactional emails and inadvertently included tracking code.Over the course of 48 hours over 180,000 people clicked on the malicious link before the site hosting the malicious content was shut down. And that was all from receiver domains that were not validating DMARC. And again, the original intent of DMARC was mitigating direct domain abuse involving transactional emails. We recognized the tradeoffs involved but to say it didn't (and doesn't) matter if such transactional email gets lost is a gross exaggeration. > > Michael Hammer >
- [dmarc-ietf] Example of Indirect Mail Flow Breaka… Todd Herr
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Barry Leiba
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Murray S. Kucherawy
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… John Levine
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… John Levine
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Douglas Foster
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Murray S. Kucherawy
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Scott Kitterman
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Todd Herr
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Mark Alley
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Alessandro Vesely
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Alessandro Vesely
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Murray S. Kucherawy
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… John Levine
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Douglas Foster
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Barry Leiba
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Alessandro Vesely
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Barry Leiba
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Hector Santos
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Hector Santos
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Hector Santos
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Hector Santos
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Benny Pedersen
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Murray S. Kucherawy
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Dotzero
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Barry Leiba
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Douglas Foster
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Murray S. Kucherawy
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Barry Leiba
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Mark Alley
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Alessandro Vesely
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Scott Kitterman
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Jim Fenton
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Dotzero
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Dotzero
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Dotzero
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Dotzero
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Benny Pedersen
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Scott Kitterman
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Hector Santos
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Hector Santos
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Hector Santos
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Hector Santos
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Douglas Foster
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Barry Leiba
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Jesse Thompson
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Alessandro Vesely
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Neil Anuskiewicz
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Neil Anuskiewicz
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Douglas Foster
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Neil Anuskiewicz
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Jim Fenton
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Douglas Foster
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Dotzero
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Jesse Thompson
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Baptiste Carvello
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Murray S. Kucherawy
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Dotzero
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Baptiste Carvello
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Jesse Thompson
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Neil Anuskiewicz
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… John Levine
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Neil Anuskiewicz
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Scott Kitterman
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Murray S. Kucherawy
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Neil Anuskiewicz
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Alessandro Vesely
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Brotman, Alex
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Murray S. Kucherawy
- Re: [dmarc-ietf] DMARC is designed to break mail,… John R Levine
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Murray S. Kucherawy
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Brotman, Alex
- Re: [dmarc-ietf] DMARC is designed to break mail,… Hector Santos
- Re: [dmarc-ietf] DMARC is designed to break mail,… John R Levine
- Re: [dmarc-ietf] DMARC is designed to break mail,… Dotzero
- [dmarc-ietf] Introducing DSAP/ATPS for Improved E… Hector Santos
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Murray S. Kucherawy
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Dotzero
- Re: [dmarc-ietf] DMARC is designed to break mail,… Dotzero
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Barry Leiba
- Re: [dmarc-ietf] DMARC is designed to break mail,… John R Levine
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Murray S. Kucherawy
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Brotman, Alex
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Scott Kitterman
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Barry Leiba
- [dmarc-ietf] General-purpose domains with users f… Matthäus Wander
- Re: [dmarc-ietf] General-purpose domains with use… Mark Alley
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Dotzero
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Neil Anuskiewicz
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Scott Kitterman
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Mark Alley
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Scott Kitterman
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Neil Anuskiewicz
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Scott Kitterman
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Neil Anuskiewicz
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Neil Anuskiewicz
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Murray S. Kucherawy
- Re: [dmarc-ietf] Example of Indirect Mail Flow Br… Alessandro Vesely