[dmarc-discuss] MLM and Header-From rewritting - the SMTPopen-relay analogy

Larry Finch finches at portadmiral.org
Sat Jun 7 07:23:29 PDT 2014

On Jun 7, 2014, at 9:35 AM, Dave Crocker <dhc at dcrocker.net> wrote:

> On 6/7/2014 3:24 PM, Larry Finch via dmarc-discuss wrote:
>> Except, as I and others have discovered in the past few days, DMARC does
>> NOT make email "so much more secure,” as phishers and spammers have
>> already found workarounds to continue their assault. So all DMARC has
>> accomplished is to inconvenience large, distributed communities of
>> legitimate mail forwarders such as mailing lists with no long term benefit.
> I hope there was nothing in my note that seemed to comment on dmarc
> efficacy, one way or the other.  I was trying only to comment on the
> differences in the nature of open-relay vs. dmarc analysis.
> The question of dmarc work-arounds raises the basic question of
> short-term vs. long-term.
> The paradigm change being imposed is a long-term effect.  If, in fact,
> the benefits are really only short-term, that's an extremely expensive
> cost for a brief improvement.
> Arguably, the mechanisms being put in place to make mailing list
> participation work for authors of p=reject dmarc domains essentially
> provide a road-map for abusers to follow.  That would, indeed, seem to
> make real dmarc benefits rather short-lived.


If my post implied criticism of you I apologize. I was simply building on your observation, not attacking it. 

The workarounds thus far deployed for mailing lists (from both L-Soft and Mailman) are really ugly, and make lists harder to use for all users of lists. Even Yahoo’s own workaround for their Yahoo Groups are ugly.  If DMARC really achieved its ideal of blocking phishing and spam it might be a sacrifice worth making, but I have seen no decrease in the incidence of phishing emails since Yahoo and AOL deployed p=reject. My banks and other financial institutions have also deployed DMARC p=reject, and I still get several convincing-looking phishing emails a week. I can recognize them instantly, but apparently many Internet users cannot. I could also recognize them before DMARC was implemented, so DMARC provided no benefit to me. So from the perspective of an end user DMARC is a failure.

best regards,
Larry Finch
finches at portadmiral.org

More information about the dmarc-discuss mailing list