[dmarc-discuss] DMARC thwarted already?

Douglas Otis doug.mtview at gmail.com
Thu Jun 5 17:44:53 PDT 2014

On Jun 5, 2014, at 5:19 PM, Terry Zink via dmarc-discuss <dmarc-discuss at dmarc.org> wrote:

>> Doesn’t this come back to the whitelist idea? For the green bar SSL certs (Extended
>> Validation), the certs have a bunch of information encoded in it, and the browsers have a
>> list of CA’s that they trust. AFAIK, the only way to do that for email is through DKIM but
>> you wouldn’t highlight all DKIM-signed email, only DKIM-signed email that you trust which
>> is compared against a whitelist.
>> Yes, definitely.  See RFC 5518 for one approach.
> This makes sense.
> We were talking about whitelists and DMARC a couple of weeks ago wherein if a message fails DMARC yet comes from a certain domain/IP, do not enforce DMARC. This sounds just like VBR. From Section 3 of RFC 5518 (http://www.ietf.org/rfc/rfc5518.txt):
> ====
> 3.  Validation Process
>   A message receiver uses VBR to determine certification status by
>   following these steps:
>  <snip>
>   3.  Obtains the name of a vouching service that it trusts, either
>       from among the set supplied by the sender or from a locally
>       defined set of preferred vouching services
> ====
> Presumably, if VBR is already an RFC, why couldn't DMARC integrate with it? As a large receiver I would never trust a set supplied by the sender, but if I had a handful of locally defined vouching services, then I could use that to bypass a DMARC enforcement in the event that the message passes SPF and DKIM, yet fails alignment.

Dear Terry,

By carefully reviewing TPA-Label, you'll see it supports the VBR approach (which requires affixing VBR information) and an approach where the domain can offer the information directly.  VBR assumes the domain being vouched for is relatively unknown.  Clearly, that is not the case with Yahoo or AOL.  The difference is fairly basic.  TPA-Label simply requires a third-party domain to be validated and found to have been listed.  This listing can be done by the DMARC domain directly, or another domain if they so wish.  This will not have an impact on normal message handling as VBR will.  In essence, Yahoo or AOL become the vouching domains with the TPA-Label approach.  The benefit is this makes no changes to the messages themselves.

Douglas Otis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://dmarc.org/pipermail/dmarc-discuss/attachments/20140605/f29051d5/attachment.html>

More information about the dmarc-discuss mailing list