Scammers set up domains with instructions to ignore email security failures on their emails via a DMARC record and Google et al. deliver their obvious dangerous spam to you. I thought, “how stupid” to create a security system so easily disabled.
But, I realize it was NEVER designed to protect YOU from spam. It has ONE purpose. Protect corporations from being spoofed. Period. They set their DMARC to reject or quarantine emails from their domains that fail security. It works perfectly for this and ONLY this. They are protected. You, not so much, but you are not their concern.
It could have been easily expanded to kill spam by not allowing the checks to be ignored, but why should they? They are protected. Common attitude today by too many people.
Am I wrong?
#CyberSecurity #EmailSecurity
@jerry@my-place.social Nope. Not wrong. Exactly that. But imagine the millions ( billions? ) in profits that would be missed if security was engineered rather than a paid add on.
@cR0w@infosec.exchange @jerry@my-place.social
mostly yes but also no? My only disagreement is in the nuance of the motivations.
DMARC and SPF are definitely technologies that exist to protect the sending domain first, and the receiving domain second, but both sides of the email transfer have to have the enforcement turned on because DMARC and SPF are bolted on security extensions to a federated protocol that never envisioned such protections, and there are a lot of legitimate orgs that never put in the work to properly set up their DMARCrecords. There are some orgs (mainly government in my experience, but a dickhead with a chainsaw may have recently fucked that up) that actually do require the sending domain to have a valid DMARC record, but that is rare. IMO the reason that mass-market email platforms didn’t require DMARC for sending domains at its introduction was for compatibility with the remarkable plethora of legitimate orgs that didn’t have the resources to set it up. So I don’t think it was done that way in the first place for intentionally malicious reasons, but the email world definitely could agree to require DMARC for senders, let poorly managed domains deal with the fallout, and massively reduce spam problems. But it would come at an initial cost of mail delivery failure.
The current huge conflict of interest is definitely that the email world is dominated by big services that do big business by selling anti spam solutions, but it’s not because DMARC was designed to only protect the senders. It can be configured to protect receivers TODAY, if those receivers are willing to deal with mail delivery failures. They are currently taking advantage of the situation to sell fancy security product, and there’s no impetus for them to kill their golden goose.@tehfishman@ioc.exchange @jerry@my-place.social You make a good point and I appreciate you taking the time to provide more nuance than I was willing to. I agree that the the protections we currently have in place such as SPF, DMARC, and DKIM can be used to protect recipients if they’re willing to accept some business risk such as losing inbound emails. I’ve been implementing them myself on personal domains as well as at $dayjob now that the big platforms are threatening to do the same. It has definitely helped.
@cR0w@infosec.exchange @tehfishman@ioc.exchange @jerry@my-place.social
Yup, we developed DMARC primarily to address domain abuse, and after a couple years of debate in the early days, had to call addressing general spam out of scope (because we wouldn’t have gotten anything done had we included that as a feature target of the spec).
As it was, it took us about 7 years to go from concept to issuance of RFC7489 (lots of history, if you’re interested - it’s quite the tale). Yeah… not easy… and that was only an Informational Draft (not a standard).
In fact, the IETF DMARC Working Group just the other day submitted an updated DMARC-bis version as an official Standards Track specification. Yay!! Sooo… that means it took since 2007 when we first started talking about it until 2025 to get it standardized. Sheesh… 18 years of work. Wild.
Now… if you’re hip to join our next venture (or just see how it unfolds - should be fun)… give DKIM2 a look. We started working on it about two years ago, and just recently re-opened the IETF DKIM Working Group to add new features, protections, and close gaps (e.g. defending against replay and more effective support of intermediaries).
Join the conversation!
https://datatracker.ietf.org/wg/dkim/about/
#dmarc #dkim #email #security #ietf #standards
@jtrentadams@infosec.exchange @tehfishman@ioc.exchange @jerry@my-place.social I thought we were cool until you invited me to join an IETF conversation. 😉
