[dmarc-discuss] How does *this* mailing list interact with dmarc?

Steven Chamberlain steven at pyro.eu.org
Sun Jun 24 06:03:33 PDT 2012


On 24/06/12 07:11, Murray Kucherawy wrote:
> If I own example.org, I can create arbitrary subdomains under it, and sign
> with them, at no cost to me.

Dynamic DNS services are often abused in this way, but we tend to know
who they are and attach a bad reputation to them.

>> They would also have to keep nameservers operational to serve DKIM keys
>> for their spam to verify against, and their IPs would also become known.
> A botnet solves the IP problem, and there are plenty of registrars (see
> recent news feeds) that are slow, inept, or disinterested in terms of
> taking down the domains of bad actors.

Agreed, but this infrastructure is something spammers wouldn't have to
provide at all if the only available alternative was p=none.  They could
instead pretend to be a well-known, good-reputation domain with SPF ~all
and not ring any alarm bells.

Secondary effects of a successful DMARC effort would be that people can
safely set a strict policy, deploy DKIM and stricter SPF rules if they
haven't already, and forwarders/listservers make their mail verifiable.

> The reason DMARC focused on the From: field is because it's the one most
> commonly shown to users.  That's a big part of what makes phishing
> effective.  Switching to the return path or the Sender field or some other
> identifier that users don't see is a cheap way to get a DMARC "pass"
> without having to change what the user sees.

A 'full' DMARC pass (e.g. -1 spam score) need only apply when a big
brand with p=reject policy delivers mail that passes the existing
From-based alignment rules.

A 'neutral' acceptance (0) could happen if the sender published a
'p=reject, but please accept my mail if forwarded' policy and the mail
was indeed forwarded via reasonably verifiable means such as a DKIM
signature from what is hopefully a listserver/forwarder.  The receiver
might still override this with a 'fail' after scrutinising the
forwarding domain and considering reputation for well-known lists.

A 'fail' (+5 spam score) could happen as before when p=reject mail fails

Setting an 'accept forwarded' policy is different from p=none because
the latter takes away the 'fail' category.

Setting such a policy need not prevent achieving a 'full pass' on the
good portion of their mail, which isn't forwarded and satisfies the
stronger From criteria.

> Still, the question remains: Why is trying to ensure list traffic passes
> DMARC something that should be in scope?  Do big brands actually get
> phished via mailing lists?

Are facebook.com users able to send outgoing mail?  The p=reject policy
means that anyone who mailed this list would be blocked by some
receiving mailservers (163.com didn't recognise the list last time I
checked), and you would receive false-positive reports.

Receivers may start to think DMARC verification has too many false
positives and relax the weight they give to a DMARC failure.  Then it
erodes the effectiveness of DMARC at filtering out phishing mails from
facebook.com and for other big brands.

Steven Chamberlain
steven at pyro.eu.org

More information about the dmarc-discuss mailing list