IETF Logo Mail Archive

Re: [dmarc-ietf] making mail not work for your users, was the endless mailing list silliness

"Jones, Steven M" <steven.m.jones@bankofamerica.com> Thu, 18 April 2013 19:14 UTC

Return-Path: <steven.m.jones@bankofamerica.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F89021F91F1 for <dmarc@ietfa.amsl.com>; Thu, 18 Apr 2013 12:14:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kOfJwOSao0oC for <dmarc@ietfa.amsl.com>; Thu, 18 Apr 2013 12:14:04 -0700 (PDT)
Received: from txdmzmailmx08.bankofamerica.com (txmx08.bankofamerica.com [171.161.160.26]) by ietfa.amsl.com (Postfix) with ESMTP id 666ED21F8F75 for <dmarc@ietf.org>; Thu, 18 Apr 2013 12:14:04 -0700 (PDT)
Received: from txdmzmailmx07.bankofamerica.com ([171.180.168.234]) by txdmzmailmx08.bankofamerica.com (8.14.5/8.14.5) with ESMTP id r3IJDZ3v011358; Thu, 18 Apr 2013 19:13:35 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bankofamerica.com; s=corp1210; t=1366312429; bh=bXci23l4dwAPOPdQ80MvwHs36zpNMRg32kwnCPRdJCY=; h=Date:From:Subject:In-reply-to:To:Message-id:MIME-version: Content-type:Content-transfer-encoding:References; b=uJe/33+MAG9jAv4+ULS65u7fbb7asIhIwmKrBOcq4ob0gg2Sv6CGfxR28WKwGSYXs avfjmZyQmCQ5M8OozdxC58nJp3Bfk9064ISqAp7IhkCMN13CKptrbGaBQvCmOo9iM2 r+0SzizywQIfO6H4A7MQ8pj5HXo/2vNwf2kH3Hm8=
Received: from memtx2mta02.bankofamerica.com (memtx2mta02.bankofamerica.com [171.186.232.154]) by txdmzmailmx07.bankofamerica.com (8.14.5/8.14.5) with ESMTP id r3IJDVhC018454; Thu, 18 Apr 2013 19:13:34 GMT
Date: Thu, 18 Apr 2013 19:13:31 +0000
From: "Jones, Steven M" <steven.m.jones@bankofamerica.com>
In-reply-to: <7BF5EC3D91FA4D6DA7902A1387BCFB60@fgsr.local>
X-Originating-IP: [171.206.135.17]
To: "J. Gomez" <jgomez@seryrich.com>, "dmarc@ietf.org" <dmarc@ietf.org>
Message-id: <7EC008BFD9B40A4183ED77EEC394AB8D0D9A8356@smtp_mail.bankofamerica.com>
MIME-version: 1.0
Content-type: text/plain; CHARSET="US-ASCII"
Content-language: en-US
Content-transfer-encoding: 7bit
Accept-Language: en-US
Thread-topic: [dmarc-ietf] making mail not work for your users, was the endless mailing list silliness
Thread-index: AQHOO6249oJsk51uqEuNvvz5y1FXaZjcTqSg
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
References: <20130417103918.3587.qmail@joyce.lan> <7BF5EC3D91FA4D6DA7902A1387BCFB60@fgsr.local>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.10.8626, 1.0.431, 0.0.0000 definitions=2013-04-18_07:2013-04-18, 2013-04-18, 1970-01-01 signatures=0
X-Proofpoint-Spam-Reason: safe
Subject: Re: [dmarc-ietf] making mail not work for your users, was the endless mailing list silliness
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2013 19:14:05 -0000

On Wednesday, April 17, 2013 1:56 PM, J. Gomez wrote:
> 
> On Wednesday, April 17, 2013 12:39 PM [GMT+1=CET], John Levine wrote:
> 
> > Perhaps we could try and think more clearly about providing service to
> > actual mail users and less about hypothetical spoofing attacks on
> > people who are not plausible spoof targets.
> 
> It's pretty clear by now that DMARC is not about protecting actual email users, but
> about protecting big brands from email spoofing their brand.

I must disagree. While we want to prevent our brands/domains from being used to exploit consumers, we also want to help prevent our customers from being exploited in general. If that weren't the case we would have been happy using proprietary services rather than promoting an open standard.

We share our customers with many thousands of other organizations. Whether a customer is phished through abuse of our brand, or Facebook, or the local tax assessor doesn't really matter if it leads to their BofA accounts being drained and their PII stolen. While the larger brands have been a primary focus because they are most often successfully exploited and have an incentive to make disruptive changes, I have always felt that it was equally important that DMARC be available to protect any domain that needs it, of whatever size or scope.

Yes there are some direct expenses when BofA makes good on fraud losses, and because of our scale it's not a small number. But it pales in comparison to the loss of customer confidence and reputational damage, not to mention the outright loss of customers, plus the loss of the Internet as a way to interact with our customers. I don't have survey data handy, but I'm pretty sure 4 out of 5 consumers don't miss having to go into physical bank locations between 10AM and 3PM, Tuesday through Thursday except random obscure holidays, every time they wanted to do something...

DMARC is not a panacea, so it does not solve certain issues with mailing lists, any more than it solves display names or cousin domains. But it does provide a solution to a very real set of problems, and it can evolve in future.

--Steve.

Steven M Jones
Messaging Strategy
STI End User Computing
Bank of America; Concord, California


----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended recipient, please delete this message.

v2.23.0 | Report a Bug | By Email