On Jul 15, 2014, at 5:20 PM, Viktor Dukhovni <ietf-dane@xxxxxxxxxxxx> wrote: > On Tue, Jul 15, 2014 at 01:44:56PM -0700, Dave Crocker wrote: > >> Incurring the considerable expense, in people and opportunity cost, by >> pursuing a global standards effort that proves ineffective is a >> particularly pernicious path, especially with respect to a >> security-related topic like phishing. > > Is there quantitative evidence that preventing spoofing of the > "From" address reduces the efficacy of phishing? My guess is that > any such effect is rather marginal, and that phishers succeed or > fail based on the content of the pitch, rather than "metadata". Dear Viktor, One of the major proponents for DMARC, in an industry closed meeting, made an impressive presentation showing their costs related to phishing. The major component was customer attrition following each extensive phishing campaign. DMARC started out as private agreements with large providers. It was felt publishing these requests in DNS would provide better coverage and it has. This was never about reducing losses due to fraud, it was about a pragmatic effort to protect their customer base. People want to be able to trust the From header field, and would walk away from email related services when they couldn't. The PRA algorithm promoted by Sender-ID never effectively mitigated phishing. With DMARC and simply sorting messages based on trusted From header fields offered customers a tolerable solution. DMARC is a good solution for domains only sending transactional messages by combining both SPF and DKIM into a scheme that offers reliable delivery while also ensuring rejection of invalid sources. This scheme falls apart when applied against domains handling normal email. Even so, some domains have seen their user accounts repeatedly compromised and were hoping to leverage DMARC's benefit of being relied upon to reject invalid sources. Unfortunately, such an effort must rely on feedback offered to DMARC domains otherwise its rejections become too disruptive to be relied on. Only the DMARC domain is able to share this information with recipients. In some cases, this involves third-party back-office services that offer source alignment with the Sender header field. Even in this case, it is still the From header field the recipient will recognize and wish to trust. The TPA-Label scheme is able to convey informally federated domains as determined by feedback given to the DMARC domain. TPA-Label is also able to indicate alignment requirements for Sender and List-ID to give recipients trustworthy sorting options. Regards, Douglas Otis