[dmarc-discuss] DMARC thwarted already?

Terry Zink tzink at exchange.microsoft.com
Thu Jun 5 17:19:35 PDT 2014


>Doesn’t this come back to the whitelist idea? For the green bar SSL certs (Extended
>Validation), the certs have a bunch of information encoded in it, and the browsers have a
>list of CA’s that they trust. AFAIK, the only way to do that for email is through DKIM but
>you wouldn’t highlight all DKIM-signed email, only DKIM-signed email that you trust which
>is compared against a whitelist.

> Yes, definitely.  See RFC 5518 for one approach.

This makes sense.

We were talking about whitelists and DMARC a couple of weeks ago wherein if a message fails DMARC yet comes from a certain domain/IP, do not enforce DMARC. This sounds just like VBR. From Section 3 of RFC 5518 (http://www.ietf.org/rfc/rfc5518.txt):

====
3.  Validation Process

   A message receiver uses VBR to determine certification status by
   following these steps:

  <snip>

   3.  Obtains the name of a vouching service that it trusts, either
       from among the set supplied by the sender or from a locally
       defined set of preferred vouching services
====

Presumably, if VBR is already an RFC, why couldn't DMARC integrate with it? As a large receiver I would never trust a set supplied by the sender, but if I had a handful of locally defined vouching services, then I could use that to bypass a DMARC enforcement in the event that the message passes SPF and DKIM, yet fails alignment.

--Terry



More information about the dmarc-discuss mailing list