On Apr 18, 2014, at 8:20 AM, Murray S. Kucherawy
<superuser(_at_)gmail(_dot_)com> wrote:
On Thu, Apr 17, 2014 at 3:16 PM, Michael Richardson
<mcr+ietf(_at_)sandelman(_dot_)ca> wrote:
So, the bug is that Yahoo/DMARC/ are authenticating the From:, when it should
really be authenticating the Sender:. DMARC should key it's policy from
Sender: rather than From, and if it did that then:
1) we could leave the From: intact, which is what's good for the end
users.
2) the list would change the Sender:, which is what we would establish
the reputation of the list, not the From:
3) MUAs would compare the From: and Sender:, and if they differed,
could say useful things like:
"From: Mrex(_at_)sap(_dot_)com via ietf(_at_)ietf(_dot_)org".
(I was also wondering this morning on my commute if a layer of message/rfc822
added by the mailing list might be a useful interim hack)
http://tools.ietf.org/html/draft-kucherawy-dmarc-base-04#section-15.1
One of the key points about DMARC's design is that it's concerned
specifically with From:. The reason is that the content of From: is what's
typically shown to the recipient by MUAs. If DMARC keyed off Sender:
instead, then this would work:
MAIL FROM: haha(_at_)badguy(_dot_)example(_dot_)com
From: security(_at_)paypal(_dot_)com
Sender: haha(_at_)badguy(_dot_)example(_dot_)com
DKIM-Signature: v=1; d=badguy.example.com; ...
If DMARC pays attention to Sender: in favor of From:, then this passes, but
what the user is shown that the message is from
security(_at_)paypal(_dot_)com with a DMARC pass. Not good.
Using Sender: as the authentication key was suggested and ultimately
abandoned during both DomainKeys (RFC 4870, the predecessor to DKIM) and
Sender-ID (RFC 4406, pretty much never implemented) for this sort of reason.
> MUAs which are not implementing the rfc822/2822/5322 "on behalf of"
> semantics of a message that carries both From: and Sender: header
> fields ought to be FIXED. Standards that build on rfc822/2822/5322
> and do not respect "on behalf of" semantics of messages with
> both "Sender:" and "From:" also need to be FIXED.
I don't believe that's standardized. I'm also not sure we (the IETF) want to
enter into user space like MUAs, an area we have historically avoided because
we don't really have such expertise.
Dear Murray,
Agreed. The intent behind DMARC is to protect recipients wanting to trust
specific From header fields. Not protecting them will cause customer loss for
high value transactional domains. Most just don't want the flood of spoofing
reaching their inbox these high value domains attract.
Yahoo has had other problems where many of their accounts have become
compromised. Perhaps DMARC is also seen as a method to curb complaints caused
by spoofed addresses so they can better address accounts actually compromised
by leveraging DMARC feedback. This would be a poor choice in my view.
Regards,
Douglas Otis
-MSK