On the issue of spoofing, only two security postures are possible in the incoming mail gateway: We allow spoofing by default, then block problematic spoofing as detected, on a case-by-case basis.We disallow spoofing by default, then allow desired mail as needed, on a case-by-case basis. Only the second security posture is credible in a security audit. DMARC v1 is the most effective tool for implementing that security posture. The proposed "new" DMARC returns us to the first security posture.
Incoming email can be divided into these categories: Messages that have confirmed identitiesMessages that appear to be spoofing but actually contain desired content from valued senders.Messages that appear to be spoofing and are unwanted.Messages where spoofing cannot be evaluated. Security posture 2 will be associated with these policies: Message category 1 will be allowed or blocked on other criteria. In particular, confirmed identity allows preferred message handling to be implemented safely.Message category 2 will be handled through the receiving organization's exception process. Message category 3 will always be blocked. Message category 4 may be reviewed, as time permits, to determine a local policy which moves it into category 1 or 3. If there are category 2 problem cannot be solved between a recipient user and his email security team, we need to document when and why this is happening, However, the expectation is that senders in category 2 and 4 will have incentive to move into category 1 over time. To the extent that this has not happened, it is a great misfortune. An excess of category 2 messages can contribute to an organization choosing to delay or abandon implementation of security posture 2. This increases their risk. Indirectly, category 2 messages serve to facilitate the dirty work of category 3 messages, in exactly the same way that a large enough crowd can become an enabler for looters and arsonists. DF
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
