[dmarc-discuss] DMARC thwarted already?

J. Gomez jgomez at seryrich.com
Thu Jun 5 19:31:54 PDT 2014


Terry Zink wrote:
>
> > You could just show the domain in green on the MUA, to show that
> > this email is successfully DMARC authenticated by the domain and the
> > domain as strong DMARC policies (p=reject). I feel it should show
> > the UTF8 version as well as the puny code version….
> > 
> > No need of a CA.
> 
> If this were done then what is stopping me, as a spammer, from
> registering 1inkedin.com (or something similar to another high
> profile target), and then setting up DKIM and DMARC? If I send a
> malicious email, it would get highlighted the same as a message from
> linkedin.com. That’s not what we want when it comes to highlighting
> messages; we are looking for the senders that we trust, not merely
> the senders that authenticate.      

Ideally, green-bar displayed emails (via DKIM and/or DMARC and/or SPF pass) would be vouched against domains present in the Recipient's address book. But the problem with that would be that (1) it is highly MUA-dependant, therefore inconsistent if the users changes MUA, and (2) it assumes users keep a well trimmed address book or an address book at all, which in my experience is wrong for about 80% of users.

Also, javascript exploits to infect user's address books would become common and annoying.

So the solution to the problem, for now, seems to be an custom-made, secret-sauce added value offering that ESP give to their users.

Regards,
J.Gomez
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://dmarc.org/pipermail/dmarc-discuss/attachments/20140606/db157a2a/attachment.html>


More information about the dmarc-discuss mailing list