Re: [dmarc-ietf] non-mailing list use case for differing header domains

[Laura Atkins <laura@wordtothewise.com>]

> On 28 Jul 2020, at 08:36, Alessandro Vesely <vesely@tana.it> wrote:
> 
> On Tue 28/Jul/2020 08:54:02 +0200 Autumn Tyr-Salvia wrote:
>> # The resulting message uses executive@secondbrand.com in the friendly From: field, but firstbrand.com in the SMTP MAIL FROM domain, so the headers are no longer aligned for SPF.
>> #
> 
> Heck, can't they DKIM sign?

This really misses Autumn’s point. The issue she brings up may be unusual but it a lot more common than folks think. Banks, in particular, are a host of underlying problems related to DNS and security. I worked with a bank a few years back. It took 6 weeks to identify what continent the nameserver controlling DNS for the subdomain we were trying to authenticate lived on. Then there were weeks of approvals and security sign offs in order to get a DNS change made so we could correct a SPF record. 3 or 4 months to get an update done. For the record, my clients were part of the Canadian organization and the name servers handling their DNS were located in Australia. 

Autumn has presented a very real world scenario that demonstrates the overall complexity of mail management operationally. Your solution “sign with DKIM” has significant barriers to adoption. For instance, assume that there is code installed on the mailserver that will grab the 5322.from address and sign with the appropriate DKIM key. How many domains are involved? How many different mailservers? How long will this solution take to deploy? Banks do not move quickly and, for the obvious reasons, any changes to security require multiple reviews and assurances that the implications are understood.

The underlying belief with DMARC is that mail is simple, that companies are monoliths with only a few brands/domains, that it is possible to know exactly where every message will come from. These assumptions are not and have never been true. Inevitably, however, when these types of issues are pointed out, they’re dismissed with “solutions” that aren’t actually achievable or maintainable. DMARC proponents have repeatedly failed to pay attention to folks pointing out the actual operational challenges and thus have never addressed the issues in any way. This is, fundamentally, why only 15% of fortune 500 companies have adopted p=reject and why adoption rates are only increased by 5% last year. 

The indirect mail stream issue is real. But it is not the only barrier to getting to p=reject. The sooner folks start listening to the people who are presenting real issues where DMARC alignment can’t be achieved the sooner they’ll be able to address them. The problem with low DMARC adoption is that it does not adequately address how companies are using mail in ways that break the DMARC model. Almost a decade on, and proponents are still suggesting that email usage should change to comply with their model of how email works. This has not happened. Maybe proponents need to think harder about why. 

laura

-- 
Having an Email Crisis?  We can help! 800 823-9674 

Laura Atkins
Word to the Wise
laura@wordtothewise.com
(650) 437-0741		

Email Delivery Blog: https://wordtothewise.com/blog