[dmarc-discuss] DMARC thwarted already?
tzink at exchange.microsoft.com
Thu Jun 5 17:19:35 PDT 2014
>Doesn’t this come back to the whitelist idea? For the green bar SSL certs (Extended
>Validation), the certs have a bunch of information encoded in it, and the browsers have a
>list of CA’s that they trust. AFAIK, the only way to do that for email is through DKIM but
>you wouldn’t highlight all DKIM-signed email, only DKIM-signed email that you trust which
>is compared against a whitelist.
> Yes, definitely. See RFC 5518 for one approach.
This makes sense.
We were talking about whitelists and DMARC a couple of weeks ago wherein if a message fails DMARC yet comes from a certain domain/IP, do not enforce DMARC. This sounds just like VBR. From Section 3 of RFC 5518 (http://www.ietf.org/rfc/rfc5518.txt):
3. Validation Process
A message receiver uses VBR to determine certification status by
following these steps:
3. Obtains the name of a vouching service that it trusts, either
from among the set supplied by the sender or from a locally
defined set of preferred vouching services
Presumably, if VBR is already an RFC, why couldn't DMARC integrate with it? As a large receiver I would never trust a set supplied by the sender, but if I had a handful of locally defined vouching services, then I could use that to bypass a DMARC enforcement in the event that the message passes SPF and DKIM, yet fails alignment.
More information about the dmarc-discuss