[dmarc-discuss] DMARC thwarted already?

Terry Zink tzink at exchange.microsoft.com
Thu Jun 5 17:34:54 PDT 2014


Franck,

> See the end of the email, where I argued this case... and It is hard to create
> a club and define the entry level which is open to all, provided they meet
> some requirements.

Yes, it is difficult and I think it's one of the biggest barriers to getting a common solution for trusted senders. I don't think that your solution of authentication-only is enough, as I explain below.

> Besides whoever registered 1inkedin.com<http://1inkedin.com> and use it to misrepresent us, may have
> to deal with our lawyers... and I'm not a lawyer... and that would be after
> spamhaus and/or surbl certainly list this domain...

Whether or not they deal with your lawyers is beside the point. If the only criteria for highlighting with a green bar is authentication, then not only can phishers do this by impersonating trusted brands, but so can run-of-the-mill spammers. In Office 365, we are dealing with a spammer who every day registers dozens of new domains and sets up SPF. It would be trivial for him to set up DKIM and DMARC. It's true that SURBL or Spamhaus may list his domains but it doesn't matter from his perspective because he abandons it after he has made his money with it anyhow.

Not only that, but we would then have the worst of both worlds. Users see a green bar for both trusted domains *and* spamming domains. We are training users that the green bar means... what, exactly? They're supposed to trust the green bar but this is not possible if senders can self-validate.

-- Terry

From: Franck Martin [mailto:fmartin at linkedin.com]
Sent: Thursday, June 5, 2014 5:26 PM
To: Terry Zink
Cc: dmarc-discuss at dmarc.org
Subject: Re: [dmarc-discuss] DMARC thwarted already?

On Jun 5, 2014, at 5:10 PM, Terry Zink <tzink at exchange.microsoft.com<mailto:tzink at exchange.microsoft.com>> wrote:


> You could just show the domain in green on the MUA, to show that
> this email is successfully DMARC authenticated by the domain and the
> domain as strong DMARC policies (p=reject). I feel it should show the
> UTF8 version as well as the puny code version....
>
> No need of a CA.

If this were done then what is stopping me, as a spammer, from registering 1inkedin.com<http://1inkedin.com/> (or something similar to another high profile target), and then setting up DKIM and DMARC? If I send a malicious email, it would get highlighted the same as a message from linkedin.com<http://linkedin.com/>. That's not what we want when it comes to highlighting messages; we are looking for the senders that we trust, not merely the senders that authenticate.


See the end of the email, where I argued this case... and It is hard to create a club and define the entry level which is open to all, provided they meet some requirements.

Besides whoever registered 1inkedin.com<http://1inkedin.com> and use it to misrepresent us, may have to deal with our lawyers... and I'm not a lawyer... and that would be after spamhaus and/or surbl certainly list this domain...

With Web Certificates, history also shows this is about authentication, brand name recognition and attribution, not trust...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://dmarc.org/pipermail/dmarc-discuss/attachments/20140606/2975af60/attachment-0001.html>


More information about the dmarc-discuss mailing list