> On 25/10/2015 02:33, Rich Kulawiec wrote: > > On Fri, Oct 23, 2015 at 08:36:31PM +0200, Martin Rex wrote: > >> I do not see any increased potential for phishing > >> Rather the opposite -- DMARC could be abused to give users a false > >> sense of security and fall to the flawed assumption that it would > >> authenticate the EMail author (which it doesn't). > Just for fun, I looked at a small sample of spam: the most recent 24 > messages that gmail itself tagged as junk. > No false positives. > 4 tagged as DMARC pass. > 5 tagged as DMARC fail (gmail does not currently obey p=discard) > 15 with no DMARC status. > Which suggests that DMARC status is pretty much orthogonal to spam detection, > on this small sample. There's a certain domain associated with one of the largest ISP/MSPs, where it's apparently very easy to create a bogus account and spam the world. So lots of people do just that. Everything from that domain is signed with DKIM and the domain has DMARC records. I don't know anyone legitimate who uses that domain, but I do occasionally get legitimate mail from that domain via a mailing list, which invariably breaks the DKIM signature and hence fails DMARC checks. So in this specific case DMARC is a 100% reliable indicator of spam: That is, if the signature validates it's spam, if it doesn't it's not. It's been this way for years. But more generally, over years of testing millions of messages, I see DMARC failure correlates positively with a message being spam. Enough that I use it that way in my spam scoring. You can find examples of practically any behavior you want if the sample size is small enough. Ned