On Tue 18/Aug/2020 01:39:16 +0200 Jesse Thompson wrote: > On 8/7/20 9:32 PM, John Levine wrote: >>> We need spoofing protection for all of our domains without being told we're >>> misdeploying. >> >> I would be interested to better undertstand the meaning of "need" >> here. It is my impression that most people vastly overestimate how >> much of a phish target they are. Paypal and big banks certainly are, >> other places, a lot less so. > > (Sorry, I was on a much-needed vacation.)
Much *needed*? Oh, well... > Ok, that's fair, I should have realized that one was over-stated. *Need* > would imply that domain-spoofing is more common than it is in reality. Yes, domain spoofing is common. You don't need to be PayPal to be spoofed. Then, one can say it's an innocuous kind of abuse. Since you're not PayPal, it's just noise. Yet, in a perfect word, I'd opt to avoid it. > Cybersecurity-minded folk in EDU tend to equate observed inbound phishing > with spoofing (even though most phishing is spoofing the display name and > message bodies, not the domain) and conclude that they *need* DMARC without > really understanding the nuances. Given the opportunity that DMARC marketing > promises, they definitely *want* inbound DMARC enforcement for > domain-spoofing of inbound mail (they'll defer to the email-minded folk to > figure out the local policy exemptions, ARC, etc), as well as *want* domain > policies that prevent the potential domain spoofing scenarios of owned > domains (again, the email-minded folk will figure out how to actually > "misdeploy" DMARC). To them, it's just a checkmark towards some "maturity" > benchmark that they use to compare to their peers. Nice synthesis. They believe DMARC works as advertised. What does it take to believe that DMARC /could/ work as advertised? > Email-minded folk in EDU, knowing that DMARC doesn't really have much > practical application to phishing, like having the observability that DMARC > provides, as well as the hammer that moving past p=none provides as a way to > coerce their complex, decentralized institution into a more sustainable > operation: > > * Departments sending transactional email - move them to dedicated subdomains > (this is where really complex institutions would benefit from walking the > domain tree instead of always inheriting from the org domain) This is a good idea even without DMARC concerns. > * People sending user email from random places - move them to authenticated > submission (preferably OAuth - since basic authentication is the reason why > so many passwords are exposed) This sound just like an email-client configuration problem. It shouldn't be so hard. > The latter scenario is interesting because a single user sending from a > random place doesn't really show up in DMARC aggregate reports. Why not? If they send to DMARC-compliant receivers, their aggregate reports should show records without the right MSA signature, not even failed, and foreign domain authentications only. That doesn't tell which users misconfigured their client, but gives a good idea of the level of user education one has achieved. It should also show which domains users tend to use for submission, in case an organization wants to automate third-party authorization... Best Ale -- _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
