IETF Logo Mail Archive

Re: [dmarc-ietf] There is no pony, Overall last-call comments on DMARC

"John R. Levine" <johnl@iecc.com> Thu, 04 April 2024 21:10 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E124C180B79 for <dmarc@ietfa.amsl.com>; Thu, 4 Apr 2024 14:10:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ev64aNB0HNc5 for <dmarc@ietfa.amsl.com>; Thu, 4 Apr 2024 14:10:17 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B62FC15154A for <dmarc@ietf.org>; Thu, 4 Apr 2024 14:10:16 -0700 (PDT)
Received: (qmail 45315 invoked from network); 4 Apr 2024 21:10:14 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:content-transfer-encoding; s=b0fc660f1736.k2404; bh=cwLHIvPCpkTpEh7xkjU+8pm742CKnwcN+pGvDa8ntzs=; b=wd82KwkMcAqFHclWqqBKNn0pFtRLlNoPeV/yjsB2vlGdkJnySXrM0Qhl8E1bJFMZN2fxjuiYgVA7Q1W1KAdJldt7x/AB5M6SLPufre0W2YMYuV29N7vXzlRgsCkXRHpl9T9lnyLG5YUBPyLzVcrEGtq3KqF++HOgg+7mW180Udt0Bnc2Py9JjTUKgnZyNSDBwdaY6sih49ZdioK3CiF8AKyMti9NFh33pzfcRwUe4ZrhlFu9QDc28LNVSPMWue2lfvIhrxDhSbZzA7C0ylUq//9Em7ByWq2N+C1NmVVC2TiOcSMVp9tgDxJhiEcqpdYvGQAoE8rQI2n70lMhJ6pWGw==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 04 Apr 2024 21:10:14 -0000
Received: by ary.qy (Postfix, from userid 501) id 1F3B486E4F7B; Thu, 4 Apr 2024 17:10:13 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by ary.qy (Postfix) with ESMTP id DFC9086E4F5D; Thu, 4 Apr 2024 17:10:13 -0400 (EDT)
Date: Thu, 04 Apr 2024 17:10:13 -0400
Message-ID: <4dc1f24e-762b-5915-ea1f-5693660b6aca@iecc.com>
From: "John R. Levine" <johnl@iecc.com>
To: Jim Fenton <fenton@bluepopcorn.net>
Cc: IETF DMARC WG <dmarc@ietf.org>
X-X-Sender: johnl@ary.qy
In-Reply-To: <FCABED32-40FB-4BD7-AC53-718D10685F71@bluepopcorn.net>
References: <CFEA2796-9213-4847-836B-81E8770973F5@bluepopcorn.net> <49859572-18a4-483b-bb99-62c1c231896e@tana.it> <CAL0qLwZc6idmMra11pVx2bbtk2Em9-vy6+962M7jDWOMnP+UHQ@mail.gmail.com> <1ee6df39-a622-4060-83db-bcc9a7a835d4@tana.it> <CAL0qLwYX_D7S_-Vn9RwwRzwyNO=8=3UVqbP8rz3SCWG4dvGZig@mail.gmail.com> <f5f55a39-127d-4a84-a66b-950379ecb013@tana.it> <CAL0qLwZzfnDA=7bwCu26S1SJPEE3hBq929674hH6naKXWuyh5g@mail.gmail.com> <ebf343ed-ee60-47b0-a02f-8518a8369bb0@tana.it> <CAL0qLwagtzjYYJmyyGpMeMTtKLtYyk_JjagkXGtscvN61kSDbw@mail.gmail.com> <CAH48ZfyKE6n2Q_GfW8oZv9y=MxOBV8sRPPMPV8akHdu6W_jn1A@mail.gmail.com> <CAL0qLwbt7A-9dUGphs5KLUhygYEd+4aY4Jr10efKpHZXAqMfmA@mail.gmail.com> <CAJ4XoYc5HYHE0EGhFw9jef3JXPQ5HKdUoZf8RD+YqzepHsWFmA@mail.gmail.com> <CAL0qLwbUzscPbk1mGj-c9fPYtMu+0VmMOm1KR4sGOrY6xapCCA@mail.gmail.com> <80DC41F0-7AF9-4C08-9374-37626FCA2BB3@bluepopcorn.net> <4690f524-73a4-a549-12c5-a0744ccf2c94@iecc.com> <FCABED32-40FB-4BD7-AC53-718D10685F71@bluepopcorn.net>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/2ZnlgdsKx7Yj_xSXi9znBoymteM>
Subject: Re: [dmarc-ietf] There is no pony, Overall last-call comments on DMARC
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2024 21:10:21 -0000

>> No might about it -- ARC is only useful with domain reputation. Of course, DKIM is only useful with domain reputation, as were Domainkeys and IIM, so I don't see why it's a problem now.
>
> Much of the objective of DomainKeys/IIM/DKIM was to provide a reliable 
> domain identifier that could be used by a reputation system. They 
> avoided saying that they were doing anything about spam and phishing. 
> OTOH, DMARC is explicitly saying that it’s there to do something about 
> phishing.

It was totally obvious at the time what DKIM was intended for, so I don't 
think that's likely to be persuasive.  In practice, ARC isn't that bad. 
IF you're a really big mail system you can collect your own repuations, if 
you're not so big your users probably subscribe to few enough legit ARC 
signers that you can manually whitelist them.  On my system I think 
there's about five.  It's not like the general spam problem where you have 
a zillion new identifiers every day most of which are spam but a few are 
not.

>> Our choices are to say here's what DMARC does, it has these problems, here's how to use it for the situations where it works, here's how to sort of mitigate the ones where it doesn't.  Or we can stamp our feet and say DMARC is BAD and we will not endorse it and NOBODY should use it, and the rest of the mail world will say isn't that cute, the IETF is having a tantrum.
>
> Or we can say that it’s not ready for standards track yet. The only time I can think of in this space that we have stamped our feet and said something is BAD was with ADSP. But I am troubled by the mandatory requirements imposed by organizations citing an informational RFC, RFC 7489. It makes it seem like standards track doesn’t mean as much as it should.

Well, ADSP actually was bad, and DMARC has reinvented much of what was bad 
about it, but unlike ADSP, it's used by every significant mail system in 
the world so we're stuck with it.  I have heard somewhere that successful 
standards document actual practice even if the practice is not ideal.

It's up to us, we can say nope, not a standard, and people will use it as 
a standard, or we can say it's not great but here's the standard, and they 
will use it as a standard.  I know which one I'd do.

R's,
John

v2.23.0 | Report a Bug | By Email