On 25/10/2015 02:33, Rich Kulawiec wrote:
On Fri, Oct 23, 2015 at 08:36:31PM +0200, Martin Rex wrote:
I do not see any increased potential for phishing
Rather the opposite -- DMARC could be abused to give users a false
sense of security and fall to the flawed assumption that it would
authenticate the EMail author (which it doesn't).
Just for fun, I looked at a small sample of spam: the most recent 24
messages that gmail itself tagged as junk.
No false positives.
4 tagged as DMARC pass.
5 tagged as DMARC fail (gmail does not currently obey p=discard)
15 with no DMARC status.
Which suggests that DMARC status is pretty much orthogonal to spam detection,
on this small sample.
There's a certain domain associated with one of the largest ISP/MSPs, where
it's apparently very easy to create a bogus account and spam the world. So lots
of people do just that. Everything from that domain is signed with DKIM and the
domain has DMARC records.
I don't know anyone legitimate who uses that domain, but I do occasionally get
legitimate mail from that domain via a mailing list, which invariably breaks
the DKIM signature and hence fails DMARC checks.
So in this specific case DMARC is a 100% reliable indicator of spam: That
is, if the signature validates it's spam, if it doesn't it's not.
It's been this way for years.
But more generally, over years of testing millions of messages, I see DMARC
failure correlates positively with a message being spam. Enough that I use it
that way in my spam scoring.
You can find examples of practically any behavior you want if the sample
size is small enough.
Ned