ietf-smtp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-smtp] DKIM and DMARC, Email explained from first principles

2021-05-24 20:24:10
from [John Levine] [Permanent Link] 
It appears that Sam Varshavchik  <mrsam(_at_)courier-mta(_dot_)com> said:

I'm struggling to identify some tangible value-added that DKIM/DMARC brings  
to the table.

Ostensibly, these signatures prove that the mail really comes from the  
domain it purported to come from.

Ok, that's cool, but what is the point?


For DKIM, the point is to have a reliable identifier for the message
that is better than an IP address. Small mailers that share an IP can
use separate signing domaisn to separate their mail streams, large
mailers can aggregate the repuation of all of their outbound IPs.

As you say, merely having a DKIM signature tells you nothing, but
after you watch a mail stream for a while, you see that some DKIM
signers send clean mail and some send lousy mail and adjust your
filters appropriately. Large mail systems all do this. We hoped that
there would be shared DKIM reputation lists like there are shared IP
lists but so far that hasn't happened.

The original point of DMARC was for B2C or B2B mail from heavily
phished domains like Paypal, that could say please discard anything
from us that fails DMARC and we understand that might be some real
mail. (All of Paypal's mail just says "something happened, look at our
web site".) It still works pretty well for that.

Unfortunately, AOL and Yahoo had separate giant security failures and
allowed crooks to steal people's address books, so spammers could take
pairs of addresses and send spam that appeared to be from a friend,
leading to huge numbers of support calls at AOL and Yahoo. They
decided to outsource the cost of their security failures to the rest
of the Internet by abusing DMARC p=reject to make that spam disappear,
along with a lot of real person-to-person and list mail. They knew
this would break every mailing list and they didn't care, according to
someone who was in the room at the time.

The people who designed DKIM and DMARC knew then and know now what it
can and can't do, but we have done a poor job of explaining them to
people who want them to be a magic FUSSP.

R's,
John

_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [ietf-smtp] Should we update an RFC if people refuse to implement parts of it ?, John R. Levine
Next by Date:  Re: [ietf-smtp] Email explained from first principles, Dave Crocker
Previous by Thread:  Re: [ietf-smtp] Email explained from first principles, Sam Varshavchik
Next by Thread:  Re: [ietf-smtp] DKIM and DMARC, Email explained from first principles, Dave Crocker
Indexes:  [Date] [Thread] [Top] [All Lists]