IETF Logo Mail Archive

Re: [dmarc-ietf] DMARC is designed to break mail, Example of Indirect Mail Flow Breakage with p=reject?

Dotzero <dotzero@gmail.com> Thu, 13 April 2023 16:30 UTC

Return-Path: <dotzero@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32EC3C14CE4C for <dmarc@ietfa.amsl.com>; Thu, 13 Apr 2023 09:30:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MjKnY7gORwLu for <dmarc@ietfa.amsl.com>; Thu, 13 Apr 2023 09:30:51 -0700 (PDT)
Received: from mail-ua1-x929.google.com (mail-ua1-x929.google.com [IPv6:2607:f8b0:4864:20::929]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC0C5C14CE4A for <dmarc@ietf.org>; Thu, 13 Apr 2023 09:30:51 -0700 (PDT)
Received: by mail-ua1-x929.google.com with SMTP id f32so10811295uad.0 for <dmarc@ietf.org>; Thu, 13 Apr 2023 09:30:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681403450; x=1683995450; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7f6pIknuz9RXAl21wA7Cccw/QhO0vdcFmzm+6xhYdSQ=; b=KRF9H0/grCSkqvhBNJeMF5c16dd92vAEWB6C/tgf72u2S0lVy/RH1nzAsxADCwN/2S lHB7nHP9Jt++atzJ9zvuwIsGZOoLlejdQlFgW/ksYs7kT3oWOHASrKfs//VIiRwLJVEl GXnBG1qeGxbHblAFvdhqf5YIE3VfdrKGEWG76pFVeiKNi3aspb7MLHe0jitVQLsCMPGT oiIBGEgE2g4qTvY7/1KhG7kXdvGPIUL9R/rDVqBnQAWCOE9UkyOTLBkI567lnnIEkPa4 auXRaHkcNABrV0l2OXh/SFw0ad7w9SkPMkeUWhg8vhiIADIDcSXInY25m+jM/N9Vm09q ruWg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681403450; x=1683995450; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7f6pIknuz9RXAl21wA7Cccw/QhO0vdcFmzm+6xhYdSQ=; b=C90sHDrzi3ki9YkLqKECgHXBHOtGw0CPW/I1wmR5+FNswvuWp8q0Fn5v//gajLZpVf rTkGrByX+VsW8NBEznpsnAEIluKkIekclxm1+5aIWvbKRanuV5UJbGzJ43vUSZnr7vhi dvkEcoESTYO7MJ8Rc5Lgx1jbrCCYcf9bS4q4N+Vmvo28/KLEEfT/oTeXnzsaKoWEH69y 8m5AwkZlFQPBbbqH2EGpz+X2Y3bpz038PUEqxynfgpU26vsMZXCT6iIrofzRep+G6kd9 9Kfe8D5kw559ggF2T2M/v1iIa4F7uwdu7Xkr41GK4RTrd2kKjLIJlRHtb/gks7REg4uO KSVg==
X-Gm-Message-State: AAQBX9c3oosKWbAQ2AwiShvB/l/tjiDS9TURl8vM66hC9U+fOUKGnChV tzI3DmKCteeF9fj18kMMoPJk7ANnCNqldtsVMd1t7CZQXBQ=
X-Google-Smtp-Source: AKy350ZJhXp51kvmINt2HEeaD1yEtuiiNyOQCeap4McXuvlyUMrzrD2d9zY2Y1D/HPD2WOjXJh7ugqTDpqhCNw62ITU=
X-Received: by 2002:a9f:309a:0:b0:772:1980:ee09 with SMTP id j26-20020a9f309a000000b007721980ee09mr1660610uab.1.1681403450379; Thu, 13 Apr 2023 09:30:50 -0700 (PDT)
MIME-Version: 1.0
References: <20230408135613.C3E1CBC81C2A@ary.qy> <48D13F81-6022-45F8-AE56-20474E68BAA1@marmot-tech.com> <c374e371-4560-9cb5-138d-09a3ef352bbd@taugh.com>
In-Reply-To: <c374e371-4560-9cb5-138d-09a3ef352bbd@taugh.com>
From: Dotzero <dotzero@gmail.com>
Date: Thu, 13 Apr 2023 12:30:39 -0400
Message-ID: <CAJ4XoYdTNtXEMS8e1_NkquHpf=3PbpTpuduW27VcUL=v_pWicQ@mail.gmail.com>
To: John R Levine <johnl@taugh.com>
Cc: Neil Anuskiewicz <neil@marmot-tech.com>, dmarc@ietf.org
Content-Type: multipart/alternative; boundary="00000000000062537705f93a3f6e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/mRpBfYQ5iknfeFr8whHDnoxQ5kw>
Subject: Re: [dmarc-ietf] DMARC is designed to break mail, Example of Indirect Mail Flow Breakage with p=reject?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Apr 2023 16:30:52 -0000

On Wed, Apr 12, 2023 at 9:41 AM John R Levine <johnl@taugh.com> wrote:

> On Tue, 11 Apr 2023, Neil Anuskiewicz wrote:
> > If DMARC can protect domains from spoofing which I believe ends up
> > costing over $14 billion per year. Forget about the $14 billion and
> > think how this crime spree affects people’s view ....
>
> But it obviously can't do that, and what it does do happens at
> considerable cost.
>

The claim that DMARC protects against spoofing has never been made by the
originators of DMARC. We have always been careful that it only addresses
direct domain abuse.


>
> I don't know where that $14B number came from but I am reasonably sure
> someone pulled it out of his, er, hat.  WHen people talk abbout
> "spoofing", they might mean exact domain impersonation or they might mean
> lookalikes, or as likely as not mail where the body impersonates someone
> and the From address is totally unrelated since, as Dave Crocker often
> reminds us, most users don't look at the return address and a lot of mail
> software doesn't even show it.  DMARC only addresses one modest part of
> that.
>
> If you are someone like Paypal or a big bank, and you have full control
> over all the routes of your mail, AND IT DOES NOT MATTER IF YOUR MAIL GETS
> LOST, p=reject makes sense.  The farther from that you are, the less sense
> it makes and the higher the costs you impose on other people. People
> chronically forget the capitalized part when thinking about the tradeoffs.
>

Nobody has full control over all the routes email will take. How does the
emitting domain know that a recipient hasn't set up forwarding from one
account to another or that a recipient address isn't an exploder or alias
representing multiple recipients at multiple domains?

It also isn't that " IT DOES NOT MATTER IF YOUR MAIL GETS LOST". It matters
but there is a calculus regarding the tradeoffs of a very small percentage
(in the case of my former a very small fraction of a percent) of email not
getting delivered vs the damage caused to recipients of malicious emails
involving direct domain abuse. In one example of direct domain abuse, the
malicious actors copied and pasted from real transactional emails and
inadvertently included tracking code.Over the course of 48 hours over
180,000 people clicked on the malicious link before the site hosting the
malicious content was shut down. And that was all from receiver domains
that were not validating DMARC. And again, the original intent of DMARC was
mitigating direct domain abuse involving transactional emails. We
recognized the tradeoffs involved but to say it didn't (and doesn't) matter
if such transactional email gets lost is a gross exaggeration.

>
> Michael Hammer
>

v2.23.0 | Report a Bug | By Email