[ih] Various tests

[Dave Crocker]

On 2/11/2024 8:10 AM, Matt Mathis via Internet-history wrote:
> I'm under the impression that this is the problem that ARC is supposed to
> solve.

It is.  It is also complex and has had very limited uptake.



> The email intermediary, namely the list itself, can use ARC to
> certify that it confirmed the signatures on the earlier hops in the
> delivery path.

Besides the underlying complexity of the mechanism itself, it requires a 
new, and different, type of reputation analysis: Should statements of 
the ARC signer be believed?  And then it requires modifying the 
filtering engine to use this indirect vetting.



> It's been widely published that Google and Yahoo! Started requiring DMARC
> reports as of February 1st and that they would start statistically not
> deliver mail from domains not using DMARC.   (Yahoo provides mail service
> for at least 5 large ISPs)

That's not quite what they said they require:  they limited the 
requirement to bulk senders.


> It's amusing that they didn't require any specific DMARC actions, only that

DMARC effectively provides 3 functions:

 1. Validation of the From: email address domain name.  So, it is an
    added authentication semantic, claiming a degree of validation of
    the author's address.
 2. A requested handling of non-validating messages
 3. A reporting mechanism, for receivers to tell senders what they got,
    purporting to be from the sender's domain

The new operational requirement enforces function #1 on bulk senders.  
That's a pretty significant step, even without the other 2 functions.



> you turn on the reports; but once you have the reports, bugs and
> configuration problems become glaringly obvious;

When DMARC was being developed, my own reaction was the the reporting 
function would likely be the biggest benefit.  I haven't tracked this in 
detail, but I gather it's had some mixed results, though it probably 
does have the benefit you cite, during initial stages of using DMARC.



>   and once you fix them
> sammers forging email from your domain become glaringly obvious; and then
> when you change the disposition to quarantine (request that downstream MTAs
> treat signature violations as spam); the spammers go away.

No they don't.  They merelystop playing the game of spoofing the From: 
field.  And that game has never been always played, when sending spam.

First, note that users these days typically don't see the From: field 
email address and even when they see it it does not alter their 
susceptibility to spammy content.

Second, DMARC is useful because failures correlate with spam, not 
because spam has to spoof From: field addresses.

Finally, note that the From: field rewriting done by mailing lists 
demonstrates how easy it is to route around DMARC.



> Unless the email wizards missed something it appears that as DMARC rolls
> out we will have strong end-to-end cryptographic signatures of the ISP
> which authenticated the human originating every message.

It doesn't actually authenticate the author.  It authenticates the 
author's domain.  In shared environment -- statistically, that is all 
the email addresses in the world -- the semantic difference is significant.


d/

-- 
Dave Crocker
Brandenburg InternetWorking
bbiw.net
mast:@dcrocker at mastodon.social