Re: [dmarc-ietf] not ADSP, was is DMARC informational?

Jim Fenton <fenton@bluepopcorn.net> Mon, 07 December 2020 23:43 UTC

Return-Path: <fenton@bluepopcorn.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79ECC3A0CB8 for <dmarc@ietfa.amsl.com>; Mon, 7 Dec 2020 15:43:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bluepopcorn.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AuT2EbcCKb5z for <dmarc@ietfa.amsl.com>; Mon, 7 Dec 2020 15:43:44 -0800 (PST)
Received: from v2.bluepopcorn.net (v2.bluepopcorn.net [IPv6:2607:f2f8:a994::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A6923A0CB5 for <dmarc@ietf.org>; Mon, 7 Dec 2020 15:43:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bluepopcorn.net; s=supersize; h=Content-Transfer-Encoding:Content-Type: MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=hYYDEUtMmhb11zuSiymMm6wm93UxSVD4RcmCseGWr+w=; b=HyrgcBAZyJ8iG2/UKX4ISMTCYL pDwMb6AdU9tfrm3KYruUuf/0eAwspPX1JHHrrCRjFBGYK/hhC26x8HCK6G9Ppqs9lCsglEkVFvA9+ XwpuajHL+LND1R4hBak39PoNoCTbE1nWStQkGsHPqwo8FfQrxmCff+5/TNWbMuz2wYfY=;
Received: from [2601:647:4400:1261:9511:8ebf:831d:3a40] (helo=[10.10.20.144]) by v2.bluepopcorn.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <fenton@bluepopcorn.net>) id 1kmQAP-0005vV-Hr; Mon, 07 Dec 2020 15:43:41 -0800
From: "Jim Fenton" <fenton@bluepopcorn.net>
To: "John Levine" <johnl@taugh.com>
Cc: dmarc@ietf.org, superuser@gmail.com
Date: Mon, 07 Dec 2020 15:43:40 -0800
X-Mailer: MailMate (1.13.2r5673)
Message-ID: <5EFCDAFF-26EF-4FC1-B7E2-E44CA66872BB@bluepopcorn.net>
In-Reply-To: <20201207051846.CBEEE291CC3F@ary.qy>
References: <20201207051846.CBEEE291CC3F@ary.qy>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/-7xeNrxJQ6JQoAibGAq_MmeIp2Q>
Subject: Re: [dmarc-ietf] not ADSP, was is DMARC informational?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Dec 2020 23:43:46 -0000


On 6 Dec 2020, at 21:18, John Levine wrote:

> In article 
> <CAL0qLwb3pLVFkOiuKeY38Kk9wEiesbyZCiBy72Ls5yRwN6EpdQ@mail.gmail.com> 
> you write:
>
>> As I recall, people took a run at trying ADSP and it was largely
>> unsuccessful.  I recall at least Yahoo, PayPal, and Google trying it 
>> but
>> finding that it interfered with their employees' participation in 
>> lists, so
>> they each invented new domains for their employees to use as separate 
>> from
>> their operational public services.  This basically led to its demise.

IIRC, Yahoo! And Google had separate domains for their employees well 
before ADSP. Which makes sense, because you want to differentiate your 
employees from your customers. Although I’m not sure that matters 
here.

> Among ADSP's shortcomings was that there was no way to test it other
> than to turn it on and see how much damage it caused.  The answer was
> frequently a lot, so they turned it back off and that was that.
>
> DMARC certainly has its problems but the reporting is great. It makes
> the surprises when you turn DMARC on a lot less, at least if your name
> is not AOL or Yahoo.

Agree, the reporting is great. But so much of the marketing/mandates I 
see around DMARC doesn’t tell domain owners to turn on reporting first 
to see what’s broken, it tells them to publish a DMARC p=reject policy 
because they have a security vulnerability if they don’t. If the 
guidance around DMARC was to publish a p=reject policy only “if it’s 
safe to do so” (meaning mostly for transactional domains), I’d be a 
lot happier with it.

-Jim