On DMARC Marketing
Just before Thanksgiving, NPR‘s All Things Considered radio program had a short item on DMARC, a protocol that attempts to control fraudulent use of internet domains by email spammers by asserting that messages coming from those domains are authenticated using DKIM or SPF. Since I have been working in that area, a colleague alerted me to the coverage and I listened to it online.
A couple of people asked me about my opinion of the article, which I thought might be of interest to others as well.
From the introduction:
JENNA MCLAUGHLIN, BYLINE: Cybercriminals love the holiday season. The internet is flooded with ads clamoring for shoppers’ attention, and that makes it easier to slip in a scam. At this point, you probably know to watch out for phishing emails, but it might surprise you to know that there’s a tool that’s been around a long time that could help solve this problem. It’s called DMARC – or the Domain Message Authentication, Reporting and Conformance Protocol – whew. It’s actually pretty simple. It basically helps prove the sender is who they say they are.
Of course it doesn’t help prove the sender is who they say they are at all, it expresses a request for what to do when the sender doesn’t. But I’ll forgive this one since it’s the interviewer’s misunderstanding.
ROBERT HOLMES: DMARC seeks to bring trust and confidence to the visible from address of an email so that when you receive an email from an address at wellsfargo.com or bestbuy.com, you can say with absolute certainty it definitely came from them.
(1) There is no “visible from address”. Most mail user agents (webmail, and programs like Apple Mail) these days leave out the actual email address and only display the “friendly name”, which isn’t verified at all. I get lots of junk email with addresses like:
From: Delta Airlines <win-Eyiuum8@Eyiuum8-DeltaAirlines.com>
This of course isn’t going to be affected by Delta’s DMARC policy (which only applies to email with a From address of @delta.com), but a lot of recipients are going to only see “Delta Airlines.” Even if the domain was visible, it’s not clear how much attention the public pays to the domain, compounded by the fact that this one is deceptively constructed.
(2) There is no absolute certainty. Even with a DKIM signature in many cases a bogus Authentication-Results header field could be added, or the selector record in DNS could be spoofed by cache poisoning.
HOLMES: So the thing about good security – it should be invisible to Joe Public.
This seems to imply that the public doesn’t need to be vigilant as long as the companies implement DMARC. Not a good message to send. And of course p=none, which for many domains is the only safe policy to use, isn’t going to change things at all, other than to improve deliverability to Yahoo and Gmail.
HOLMES: I think the consequences of getting this wrong are severe. Legitimate email gets blocked.
Inappropriate DMARC policies cause a lot of legitimate email blockage as well.
When we embarked on this authentication policy thing (back when we were doing ADSP), I hoped that it would cause domains to separate their transactional and advertising mail, use different domains or subdomains for those, and publish appropriate policies for those domains. It’s still not perfect, since some receive-side forwarders (e.g., alumni addresses) break DKIM signatures. But what has happened instead is a lot of blanket requirements to publish restrictive DMARC policies regardless of the usage of the domain, such as the CISA requirement on federal agencies. And of course there has been a big marketing push from DMARC proponents that, in my opinion, encourages domains to publish policies that are in conflict with how their domains are used.
Going back to my earlier comment, I really wonder if domain-based policy mechanisms like DMARC provide significant benefit when the domain isn’t visible. On the other hand, DMARC does cause definite breakage, notably to mailing lists.
Altmode 
Leave a comment