[dmarc-discuss] DMARC thwarted already?
doug.mtview at gmail.com
Thu Jun 5 17:27:06 PDT 2014
On Jun 5, 2014, at 3:34 PM, John Levine via dmarc-discuss <dmarc-discuss at dmarc.org> wrote:
> In article <0824AAFA38087A4285DB5B27F9323DC30514CF4464 at rpcoex01.rpcorp.local> you write:
>> I agree - DMARC does not protect against the From description. But if the MUA were to display
>> the full From header rather than the description only, we might be getting somewhere.
> We might, but we probably wouldn't, since there's no reason to assume
> that typical users understand the security implications of mail
> addresses and domain names. Also, considering that there is
> approximately an infinite number of ways to write something that looks
> sort of like some other thing that people are expecting, this approach
> is bailing the ocean with a sieve.
> It might work better to flip things around and try highlighting the
> good stuff. Green bar SSL certs are an example of this approach.
Agreed. It also seems there needs to be a way to extend trust before any semaphore has meaning. After all, many messages on this list are being placed into spam-folders. It would be nice to find a way to extend trust where appropriate as can be determined only by the sending domain. Such a scheme might avoid errant placement with truly malicious messages found in the same folder. Little protection is afforded when people are required to muck through their spam folders since p=reject is now interpreted to mean p=quarantine. Although the risk of this interpretation is real, there is also significant harm caused by a policy disrupting legitimate messages. The sending domains receive feedback and are able to review with which domains they have exchanged messages. After a few weeks of review, instances that might require human involvement should become fairly few. At that point, email will be better able to handle another breach while also reducing rewards obtained from these deplorable and illicit acts.
More information about the dmarc-discuss