Re: (DMARC) We've been here before, was Why mailing lists

[Douglas Otis <doug.mtview@gmail.com>]

On Apr 18, 2014, at 8:20 AM, Murray S. Kucherawy <superuser@gmail.com> wrote:

> On Thu, Apr 17, 2014 at 3:16 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> So, the bug is that Yahoo/DMARC/ are authenticating the From:, when it should
> really be authenticating the Sender:. DMARC should key it's policy from
> Sender: rather than From, and if it did that then:
>   1) we could leave the From: intact, which is what's good for the end
>      users.
>   2) the list would change the Sender:, which is what we would establish
>      the reputation of the list, not the From:
>   3) MUAs would compare the From: and Sender:, and if they differed,
>      could say useful things like:
> 
>      "From: Mrex@sap.com via ietf@ietf.org".
> 
> (I was also wondering this morning on my commute if a layer of message/rfc822
> added by the mailing list might be a useful interim hack)
> 
> http://tools.ietf.org/html/draft-kucherawy-dmarc-base-04#section-15.1
> 
> One of the key points about DMARC's design is that it's concerned specifically with From:.  The reason is that the content of From: is what's typically shown to the recipient by MUAs.  If DMARC keyed off Sender: instead, then this would work:
> 
> MAIL FROM: haha@badguy.example.com
> 
> From: security@paypal.com
> Sender: haha@badguy.example.com
> DKIM-Signature: v=1; d=badguy.example.com; ...
> 
> If DMARC pays attention to Sender: in favor of From:, then this passes, but what the user is shown that the message is from security@paypal.com with a DMARC pass.  Not good.
> 
> Using Sender: as the authentication key was suggested and ultimately abandoned during both DomainKeys (RFC 4870, the predecessor to DKIM) and Sender-ID (RFC 4406, pretty much never implemented) for this sort of reason.
> 
>     > MUAs which are not implementing the rfc822/2822/5322 "on behalf of"
>     > semantics of a message that carries both From: and Sender: header
>     > fields ought to be FIXED.  Standards that build on rfc822/2822/5322
>     > and do not respect "on behalf of" semantics of messages with
>     > both "Sender:" and "From:" also need to be FIXED.
> 
> I don't believe that's standardized.  I'm also not sure we (the IETF) want to enter into user space like MUAs, an area we have historically avoided because we don't really have such expertise.

Dear Murray,

Agreed.  The intent behind DMARC is to protect recipients wanting to trust specific From header fields.   Not protecting them will cause customer loss for high value transactional domains.  Most just don't want the flood of spoofing reaching their inbox these high value domains attract. 

Yahoo has had other problems where many of their accounts have become compromised.  Perhaps DMARC is also seen as a method to curb complaints caused by spoofed addresses so they can better address accounts actually compromised by leveraging DMARC feedback.  This would be a poor choice in my view.

Regards,
Douglas Otis

 

> 
> -MSK