Could We Eliminate Spam With DMARC?

An anonymous reader writes: "The spam problem would not only be significantly reduced, it'd probably almost go away," argues Paul Edmunds, the head of technology from the cybercrimes division of the U.K.'s National Crime Agency -- suggesting that more businesses should be using DMARC, an email validation system that uses both the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). "Edmunds argued, if DMARC was rolled out everywhere in order to verify if messages come from legitimate domains, it would be a major blow to spam distributors and take a big step towards protecting organizations from this type of crime..." reports ZDNet. "However, according to a recent survey by the Global Cyber Alliance, DMARC isn't widely used and only 15% of cybersecurity vendors themselves are using DMARC to prevent email spoofing.
Earlier this month America's FTC also reported that 86% of major online businesses used SPF to help ISPs authenticate their emails -- but fewer than 10% have implemented DMARC.

Clueless idiot

[mrsam]

Thank you Mr. Edmunds, "the head of technology from the cybercrimes division of the U.K.'s National Crime Agency" for informing the citizens of the U.K. that their "head of technology from the cybercrimes of the U.K.'s National Crime Agency" is technically incompetent, and is utterly clueless on the subject matter he's blathering about.

There's nothing about SPF, Dmarc, or DKIM, that magically identifies the attached email as spam or not. There is no such tag in the email that identifies it as such. All that those technologies do is establish, in varying degrees of certainty, that the purported sender of the email is who it claims to be. Which, obviously, has nothing to do with spam.

As Benny Hill would've said: BIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIG deal...

More than half of the crap in my spam folder has DKIM headers. I have SPF validation turned on. More than three quarters of the spam in my folder passes SPF checks. That pretty much there makes Mr. Edmunds look like a bloody moron. The only fact that they establish is its proven sender's domain name.

SO FUCKING WHAT? Did someone drop this moron in his head, as a child, or what? Is it too much for that knucklehead to comprehend that anyone can register a new domain, establish valid DKIM and SPF keys, to authenticate the domain, that start spewing spam, non-stop, from it? And every last drop of that spam will pass every SPF, DKIM, and alphabet soup that he throws at it. It is true that some portion of the spam from hijacked and hacked zombies will fail SPF/DKIM validation. But this will fail, by far, to be the complete solution for spam, unlike what that knucklehead claims. Is this really so complicated to understand?

Re:Nonsense

[QuietLagoon]

I have both DMARC and SPF installed and configured correctly... I still get spam! ...

DMARC and SPF are for senders, not recipients. You can set up DMARC and SPF all you want for your domains, but if the senders who send you mail do not set it up for *their* domains, and you do not reject emails that DMARC flags for you, then you're going to continue getting spam.

.
And that's the point of TFA. More email senders have to set up DMARC, et al. When enough have set up DMARC, then it will be possible for your server to reject most spam.

All the spammer has to do is also set up SPF and DMARC.

With the authenticated sender (via DMARC and SPF) you would know it is a spammer. That's the point

Re:Your post advocates a...

[MightyMartian]

Thank you. It's good to see the ol' "your anti-spam technique is a fail" form. Christ, I bet you can go back 11 or 12 years and see this exact same story on Slashdot.

It boils down to this. If you want your MTA to function as a general open email transport system, you cannot kill messages based upon whether they pass or fail solutions like DMARC. There's some logic to weighting failures of SPF checks and the like to make it more likely that a failed message will be rejected, but to actual use SPF and its kin as a sort of yes/no logic gate would lead to an unbelievable number of false positives, and I question the legitimacy of anyone claiming to be some sort of cybersecurity expert who claims such solutions are the be-all and end-all.

Re:gray listing works

[MightyMartian]

I've found greylisting to certainly cut down a lot. It's effectiveness as decreased over time as spammers switch to using proper mail servers instead of PHP or COM SMTP classes, but it still nails the bulk of spam.

DMARC works but is by providers for providers.

DMARC was created by PayPal in conjunction with Google, Microsoft and Yahoo! as a way to stop spam and, more importantly, phishing emails from _their_ domains. If you have DMARC setup properly on your MX you mostly likely have zero spam in your user's mailboxes from any domains owned by those companies and to that end, DMARC is 100% successful.

But the entire process is setup to validate the sender's domain, not the trustworthiness of that domain. As many have pointed out, as long as I setup the proper SPF and DKIM records for iamsp.am, DMARC is going to happily accept it. My servers implement DMARC but I still had to specifically blacklist care.com because they were spamming us from properly validated servers (we had canceled our subscription and had all communications options turned off and they were still regularly sending us emails with no opt-out link claiming they were for "admin" purposes).

The one nice feature that DMARC does bring is that you have the option to get notifications from other MX's that use DMARC detailing what traffic they've received claiming to be from your domain and how that traffic scored. It assists in debugging setup problems and identifying servers trying to spoof your domain. We recently caught one server in Germany trying to send a lot of email as one of our domains (Google, Microsoft, and Yahoo all sent DMARC reports listing it). We contacted their ISP and it stopped a couple of days later. Being proactive about that helps keep your domain(s) off shared blacklists but it's a manual/proactive process and it's not going to catch everything.