DMARC allows a policy ("p") value of none, quarantine, or reject. According to
DMARC.org, as of Q2 2022 just under 20% of all DMARC implementations chose the
reject policy (source: https://dmarc.org/stats/dmarc/). However, for that
subset of all DMARC adopters, obviously those businesses are certain that they
have correctly identified and signed each of their legitimate email sources and
that any other source of email that fails authentication is definitionally
unauthorized. So why not alert the senders of these bad messages that they
might have an open relay that has been hijacked for spam purposes by sending a
message to the Abuse alias at the originating domain for failed messages?
I've worked in the email marketing space for decades (all on the permissioned
side!) But I'm not a technician, I am a marketing guy who can barely manage my
own domain's DNS. But DMARC already includes a feedback loop to the legitimate
sender for aggregate and forensic reports to be sent. Wouldn't it be possible
to extend on that feedback function in this manner? Indeed, the DMARC
specification exception report enhancement that I am suggesting that would be
sent to the Abuse alias could be written so that the email system that
processed the DMARC-rejected messages could batch multiple senders' rejected
domains into one message to the actual sender. Example:
Domain owners with DMARC implemented and p=reject:
Legit-sender-1.com
Non-compliant messages received from the following domains:
Open-relay-1.com
Open-relay-2.com
Open-relay-3.com
Open-relay-4.com
Legit-sender-2.com
Non-compliant messages received from the following domains:
Open-relay-1.com
Open-relay-3.com
Open-relay-4.com
Open-relay-5.com
Legit-sender-3.com
Non-compliant messages received from the following domains:
Open-relay-3.com
Open-relay-4.com
Open-relay-6.com
Open-relay-7.com
In the example, messages from unapproved sender Open-relay-1.com were received
purporting to be from two separate domains (Legit-sender-1.com and
Legit-sender-2.com). But it isn't necessary to send two separate messages to
[email protected] telling them that they are mailing unapproved email -
one message will suffice! Therefore, the total number of messages to be sent to
an Abuse alias is not the 3 senders * 4 rejected email sending domains each
that is suggested in the table above - there were only seven unique domains
that sent rejected messages and thus only seven messages need to be sent to an
Abuse alias. The count of DMARC-enabled domains is immaterial: it's the
deduplicated count of rejected sending domains. At the scale of a Google or
Microsoft the duplication across domains would be massive which would
dramatically reduce the number of messages to the respective Abuse aliases that
have to be sent. In fact, since not every sending domain has implemented an
Abuse alias, those exception messages that bounce could actually be used in the
receiving domain's proprietary email reputation calculations.
If anyone has any questions on the above, please shout out!
Ted Wham
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
