Authentication is about Identity, not Virtue

I just got some mail claiming to be from “Bank of America <secure@bofasecure.com>”.
It passes SPF:

Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=185.235.176.160; helo=bofasecure.com;

It passes DKIM:

Authentication-Results: mx.wordtothewise.com (amavisd-new); dkim=pass (1024-bit key) header.d=bofasecure.com

The visible RFC 822 From address is strictly aligned with both the SPF domain and the DKIM domain. So if they’d published a DMARC record it would have passed DMARC.
The message branding is good, and looks like Bank of America (unsurprisingly, as it’s loading assets from bac-assets.com, which is Bank of America). The only visible giveaway is that it includes an attached Word file, one which will presumably try and install malware on my machine if I load it with Word.
The perfectly passing authentication tells me it’s from bofasecure.com. There’s nothing that tells me that bofasecure.com isn’t Bank of America, and isn’t someone I should trust.

Related Posts

Should you publish DMARC?

secure_email_blogI’ve been hearing a lot lately about DMARC. Being at M3AAWG has increased that. Last night we were at dinner and heard from the next table “And they’re not even publishing DMARC!!!!”
I know DMARC is the future. I know folks are going to have to start publishing DMARC records. I also know that the protocol is the future. I am also not sure that most companies are ready for DMARC.
So lets take a step back and talk about DMARC, what it is and why I’m still a little hesitant to jump on the PUBLISH DMARC NOW!! bandwagon.

Read More

Ask Laura: Can you help me understand no auth / no entry?

AskLaura_Heading3
Dear Laura,
I’m a little confused by the term “no auth / no entry”. Gmail and other major receivers seem to be moving towards requiring authentication before they’ll even consider delivery.
Does this just mean SPF and DKIM, or does this mean the much more stringent DMARC, as well?
Thanks,
No Shirt, No Shoes, No What Now?

Read More

Ask Laura: Do I have to publish DMARC?

AskLaura_Heading3
 

Read More