this post was submitted on 12 Apr 2025
3 points (80.0% liked)

Cybersecurity

30 readers
1 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Rules

Community Rules

founded 2 years ago
MODERATORS
shellsharks@fedia.io
tweedge@fedia.io
3
Scammers set up domains with instructions to ignore email security failures on their emails via a DMARC record and Google et al. deliver their obvious dangerous spam to you. I thought, "how stupid" to (my-place.social)
submitted 4 months ago by jerry@my-place.social to c/cybersecurity@fedia.io
5 comments fedilink hide all child comments
 

Scammers set up domains with instructions to ignore email security failures on their emails via a DMARC record and Google et al. deliver their obvious dangerous spam to you. I thought, "how stupid" to create a security system so easily disabled.

But, I realize it was NEVER designed to protect YOU from spam. It has ONE purpose. Protect corporations from being spoofed. Period. They set their DMARC to reject or quarantine emails from their domains that fail security. It works perfectly for this and ONLY this. They are protected. You, not so much, but you are not their concern.

It could have been easily expanded to kill spam by not allowing the checks to be ignored, but why should they? They are protected. Common attitude today by too many people.

Am I wrong?
#CyberSecurity #EmailSecurity

you are viewing a single comment's thread
view the rest of the comments
[–] cR0w@infosec.exchange 2 points 4 months ago (1 children)

@tehfishman@ioc.exchange @jerry@my-place.social You make a good point and I appreciate you taking the time to provide more nuance than I was willing to. I agree that the the protections we currently have in place such as SPF, DMARC, and DKIM can be used to protect recipients if they're willing to accept some business risk such as losing inbound emails. I've been implementing them myself on personal domains as well as at $dayjob now that the big platforms are threatening to do the same. It has definitely helped.

[–] jtrentadams@infosec.exchange 1 points 4 months ago (1 children)

@cR0w@infosec.exchange @tehfishman@ioc.exchange @jerry@my-place.social

Yup, we developed DMARC primarily to address domain abuse, and after a couple years of debate in the early days, had to call addressing general spam out of scope (because we wouldn't have gotten anything done had we included that as a feature target of the spec).

As it was, it took us about 7 years to go from concept to issuance of RFC7489 (lots of history, if you're interested - it's quite the tale). Yeah... not easy... and that was only an Informational Draft (not a standard).

In fact, the IETF DMARC Working Group just the other day submitted an updated DMARC-bis version as an official Standards Track specification. Yay!! Sooo... that means it took since 2007 when we first started talking about it until 2025 to get it standardized. Sheesh... 18 years of work. Wild.

Now... if you're hip to join our next venture (or just see how it unfolds - should be fun)... give DKIM2 a look. We started working on it about two years ago, and just recently re-opened the IETF DKIM Working Group to add new features, protections, and close gaps (e.g. defending against replay and more effective support of intermediaries).

Join the conversation!

https://datatracker.ietf.org/wg/dkim/about/

#dmarc #dkim #email #security #ietf #standards

[–] cR0w@infosec.exchange 1 points 4 months ago

@jtrentadams@infosec.exchange @tehfishman@ioc.exchange @jerry@my-place.social I thought we were cool until you invited me to join an IETF conversation. 😉