ietf-smtp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-smtp] DKIM and DMARC, Email explained from first principles

2021-05-25 18:18:51
from [Dave Crocker] [Permanent Link] 
On 5/25/2021 3:52 AM, Sam Varshavchik wrote
To me that's not fundamentally different from filtering based on the sending IP address. 

In its simplest terms, it isn't.  But then, simplest is not enough here.

First, IP breaks after one MTA hop and DKIM doesn't.
Second, IP mixes all sorts of traffic and DKIM doesn't (or, at least, it doesn't have to). That is, DKIM can be used to highly partition and identify content streams. This allows clean, accurate narrow-band reputation analysis. IP allows only a very coarse reputation grain.
How signers actually use DKIM might well be different from how they /could/ use it, of course... 



Large mail systems all do this. We hoped that
there would be shared DKIM reputation lists like there are shared IP
lists but so far that hasn't happened.
This is never going to happen. Domains are relatively cheap. If a domain acquires negative social credit it'll be discarded and replaced by a new one.
One of the continuing, strategic challenges in anti-abuse work is that people who work in it necessarily have a primary focus on bad actors. A collaborative mechanism -- such as DKIM, where the originating site literally signs up for identification and assessment -- creates a challenge, in that evaluating good actors is quite a different job from evaluating bad actors. It's not that good actors are perfect, but that they are less likely to act badly and typically it won't be intentionally. 

Think misdemeanor rather than felony...
So the fact that domains are cheap is less relevant than a good actor wanting to create a clean record of being a good actor. 



The original point of DMARC was for B2C or B2B mail from heavily
phished domains like Paypal, that could say please discard anything
from us that fails DMARC and we understand that might be some real
mail. (All of Paypal's mail just says "something happened, look at our
web site".) It still works pretty well for that.
Eh, no. A large majority of user-facing mail clients are now hiding the sending mail address, and showing only the name, up front.
Users are pretty much irrelevant to DMARC. DMARC is for use by the receiving filtering engine. It doesn't matter what From: field data is displayed to users. (Really. It. Does. Not. Matter.) 


From: "Paypal Customer Service" <kjsdfjklk(_at_)934iowero(_dot_)us>
Most people will see "Paypal Customer Service". Valid domain signature for 934iowero.us, and straight it goes into your Inbox.
Noting that operators continue to claim benefit in supporting DMARC, the fact that it is easy to circumvent means that its utility is tactical rather than strategic. I'm not a fan of tactical (ie, limited) benefit in standards work, but I didn't have a vote... More importantly, they claim they /do/ see real filtering benefit. 


d/


--
Dave Crocker
Brandenburg InternetWorking
bbiw.net

_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-smtp] DKIM and DMARC, Email explained from first principles, Sam Varshavchik
Next by Date:  Re: [ietf-smtp] DKIM and DMARC, Email explained from first principles, Sam Varshavchik
Previous by Thread:  Re: [ietf-smtp] DKIM and DMARC, Email explained from first principles, Sam Varshavchik
Next by Thread:  Re: [ietf-smtp] DKIM and DMARC, Email explained from first principles, Sam Varshavchik
Indexes:  [Date] [Thread] [Top] [All Lists]