[dmarc-discuss] MLM and Header-From rewritting - theSMTPopen-relay analogy

J. Gomez jgomez at seryrich.com
Sat Jun 7 11:04:24 PDT 2014

On Saturday, June 07, 2014 4:23 PM [GMT+1=CET], Larry Finch via dmarc-discuss wrote:

> The workarounds thus far deployed for mailing lists (from both L-Soft
> and Mailman) are really ugly, and make lists harder to use for all
> users of lists. Even Yahoo’s own workaround for their Yahoo Groups
> are ugly.  If DMARC really achieved its ideal of blocking phishing
> and spam it might be a sacrifice worth making, but I have seen no
> decrease in the incidence of phishing emails since Yahoo and AOL
> deployed p=reject. My banks and other financial institutions have
> also deployed DMARC p=reject, and I still get several
> convincing-looking phishing emails a week. I can recognize them
> instantly, but apparently many Internet users cannot. I could also
> recognize them before DMARC was implemented, so DMARC provided no
> benefit to me. So from the perspective of an end user DMARC is a
> failure.

DMARC is in its first legs of a long journey. Imagine an email message which passes DMARC, comes from your bank, and the MUA displays it to the final user with a "green bar" because:

  1. the email's body has a link to the bank logo in https://mybank.com/logo.png or similar,
  2. AND the SSL certificate for https://mybank.com is a valid Extended Validation Certificate,
  3. AND all other (if any) hyperlinks and/or linked images in the body of that email are under the same SSL-secured domain https://mybank.com ,
  4. AND the domain in said https URLs match the DMARC-validated domain in the Header-From.
If all major browsers could reach an agreement to standardize on displaying a "green bar" for EV SSL certificates, imagine now that the major MUA vendors standardize on "green bar"-displaying emails which pass a validation akin to the one I described, which obviously needs and builds on DMARC.
Sure, someone could get an Extended Validation SSL Certificate for "Bank of Amerika, Inc.", but that is something the SSL Certification Authority should avoid from happening when issuing EV SSL certificates.
My point is that DMARC has potential, but "potential" per se cannot be evaluated a priori, we can only make educated guesses about it. And my guess is DMARC holds fruitful uses which we cannot even see coming at this point in time.


More information about the dmarc-discuss mailing list