Return-Path: <fenton@bluepopcorn.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id 19DCD3A08C0
 for <dmarc@ietfa.amsl.com>; Wed, 22 Jul 2020 15:55:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level: 
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
 header.d=bluepopcorn.net
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id j7wP1vnhz7OZ for <dmarc@ietfa.amsl.com>;
 Wed, 22 Jul 2020 15:55:13 -0700 (PDT)
Received: from v2.bluepopcorn.net (v2.bluepopcorn.net [IPv6:2607:f2f8:a994::2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id E21023A08BA
 for <dmarc@ietf.org>; Wed, 22 Jul 2020 15:55:13 -0700 (PDT)
Received: from steel.local ([IPv6:2601:647:4400:9fb0:d804:19c4:ed42:ddf5])
 (authenticated bits=0)
 by v2.bluepopcorn.net (8.15.2/8.15.2/Debian-14~deb10u1) with ESMTPSA id
 06MMtC2w026380
 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO)
 for <dmarc@ietf.org>; Wed, 22 Jul 2020 15:55:13 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bluepopcorn.net;
 s=supersize; t=1595458513;
 bh=fCUy9AUtuk9WOW8Di+pAUeOIcSoo3CITzUSlltvH4NU=;
 h=Subject:To:References:From:Date:In-Reply-To:From;
 b=UEhHI58dcZ/hDs1Gv3wAZkM6x9LZSsi5RealbLtqhZVyYAAOJLz2Mo4OxiaMwYAEe
 gkieut28TIYeqMlc3/E3AVVxpvt/TO+PmIVoth/ujzWL5dEkGGIz5xQ29SG5pvK8Y9
 ANGw0w8YSz57gWoz0G7H3fyHOyZdOufjt7LAe4Dc=
To: dmarc@ietf.org
References: <bf5b68c74a3c487ca8a07a0a27061e47@com>
 <87zh7ur069.fsf@orion.amorsen.dk>
 <3829fac4748a48d0b752403450843bd5@bayviewphysicians.com>
 <c9353a06-ab31-c397-449e-7d36afbf655d@wisc.edu>
 <c2ad22cd-8b35-733f-bc4c-839e2c4b3e98@dcrocker.net>
 <5F172EF5.7000508@isdg.net>
 <CAMSGcLAKowXYir-ueOaWxuPcESmCAQEW5OqeZmu0kq2Cpvxqtg@mail.gmail.com>
From: Jim Fenton <fenton@bluepopcorn.net>
Autocrypt: addr=fenton@bluepopcorn.net; prefer-encrypt=mutual; keydata=
 mQINBFJNz0MBEADME6UoNSsTvSDJOdzL4yWfH4HTTOOZZPUcM/at38j4joeBb2PdatlwCBtk
 9ZjupxFK+Qh5NZC19Oa6CHo0vlqw7V1hx1MUhmSPbzKRcNFhJu0KcQdniI8qmsqoG50IELXN
 BPI5OEZ3chYHpoXXi2+VCkjXJyeoqRNwNdv6QPGg6O1FMbB+AcIZj3x5U18LnJnXv1i+1vBq
 CxbMP43VmryPf8BLufcEciXpMEHydHbrEBZb/r7SBkUhdQXjxRNcWOLeYvOVUOOrr1c+jvqm
 DEbTWUJVRnUro/WpZQBffFnymR0jjkdAa8eOVl/nF2oMLbaBsOMvxCRSSEcGhuqwbEappNVT
 1nuBTbkJT/GGcXxc+lEx9uNj86oYC4384VZJMTd1BRI4qPXImNZCIdmpKegK743B6xxN6Qh1
 Tg167pn9429JENQE/AFIVX5B/gpsg7Aq+3rmz9H6GbfovPvFV3TBTgsHCHAMC8XU+S4fhcqN
 PN0lbUeyb7g6wxaE+dYqC7TExx7G3prw4v66y0qS7ow/Cfw8XXOEkaFQ4XwP7nvfILT+9CcU
 yS8I40vlDFU9Wnt56CbGz0ZVQgHnwyPXL+S9kCcIwRLFx1M79s6T6qwX1TXadfpbi1uIw7XG
 TiPDT8Pk6i2y22oSSROyYD4D+wOhVkkvO0S8iZ3+LhAYUx86nwARAQABtCNKaW0gRmVudG9u
 IDxmZW50b25AYmx1ZXBvcGNvcm4ubmV0PokCVQQTAQIAPwIbAwYLCQgHAwIGFQgCCQoLBBYC
 AwECHgECF4AWIQS1nUkJe2fEXbvBaacbJaiwFdCfvgUCXVD9ggUJDORhvgAKCRAbJaiwFdCf
 vgiSEACd3Nem63zL2C6daCFfRzOANkf30Q8AvaRVwhfdFxs+5vETCzbqctrtIAHeqncXjm9G
 uEJWxecAiHZXKoWUEFECMp3+Saznw0np+c722M4k9xI+mxqbcE0qgpYQgA8zbS/Lbds3f/bk
 /00jrQg4VMkumONlh+RZVwxAsnWp8efrJsNTn0QOPZavAkPEN59wfyWQ3O4pNY8i3zum8Wge
 8NS4BBMyG0fmjWgUq0K2QrTD4AKBslM2IWCLECypP1AOfHKmmTACKFOnzJJ4KspUw3hdBnS1
 fvudUC8u26Q3T6rHosRqxGmgW7sQWwAusgMSa/A6zxR6soEBSsMT5Tf+VHebuz1FWE4ogrvJ
 InvewfYSCYzOQamYYGArcBtAzU00pUzW2Or7SlwZPHHy2EfMd0zvT7mwSYLwwwcCsWc1O/CI
 xHGea7PBgO3TdR0Ex254yc+NTyxF3isBC/fodF9aNWF6x6SV3VKYJ3U2uqS9ga85dZz8Qeps
 MwlSEGRVhVVWGbSxy0GxV5Up0yX4vl0kI0c7Tt57JCOoRBpn/lTK/7IEtZK6/uiw98KCy+BM
 uF7HPsgXjd/AQjSsZIJgDyVY/y7niduqhW2izNEdhV77htVbKHRf2SfJQNudWOIcOhUTlddH
 kOSjet+MDso61JxrFV4j/8wFno7NwpPIhD//HvKAiLkCDQRSTc9DARAAwZaXYs3OzGlpqvSH
 3HR9GjSzIeP0EmsBCjpfIdZbQBwQ3ZREiMGInNxV+xkdjLDg0ctrWzUCUe3plWe5NJkpjqm+
 KMc7GKhyeWJ5MZRtVrh0VpFTqi8UwYPWumAYqE1y/U1me/zHpfG9EDwdSYqMkPF76Fy5W+vh
 ZP2ILKaY8qWSLyH8TPl5mFGBypfT8Q6UuzlRs2aTbsTtBX/qwH7gztMRJSjQtYo20AqCgBBH
 IA/0xV5qDH7CVYyKyPQ4tJLQ8/xyTysUS5fewrj8lZo/G9SaNtC3CEvrJYwyA0nvYB6+hJPM
 qMP/tyRXM/9XY3qO4Vxuc+m5fYbTZa5GYAZNNuB5dvqI1U0sFTWBEbpAeabqCQ40ZnFSj+t1
 tBuwfj4ey/oJ78WRyg5+VTvPKRRubOmZcnzj5yfTS3VGxAZb4Nsj1S2f3KLP0Z+Cv4dt893I
 2JWTChw7jA1omF0QTQaBq140n084PFndBHudrZ3cz+APC89iie2HQ4jGQldXZXnGySHnHlA+
 WUyZ9wgOplW9F4Q/Lps1bnuh5VttPVpNfjX8hiV48al+b+ut4nfzXAripIRWF3TL72/6JqgE
 KNhRKyRn0S6BidieSyHWzqJR3Roi/YNTvyXyLh6i6jtByb3FbnhYf/9olobDpj0E+kTemLrw
 owre85gwupSphqlzVSUAEQEAAYkCPAQYAQIAJgIbDBYhBLWdSQl7Z8Rdu8FppxslqLAV0J++
 BQJdUP9SBQkM5GOPAAoJEBslqLAV0J++vZoP/1shJ+5iImGzvGUTTDJcAX6Wha+22QP0G51Z
 QGZbeB0gE+gDmRwd2yw0cO3y1sPoTJliUSuZ3DFIjv8CLBgDlrkUnijBWbi5YznsAZkH0vKG
 ESGzinJC6y/Nzf2TZokKiOaYrTYcZx8x2wxjNO+zsihm/rvhV/YnHEYd9dlV/MjAL3xtHU/9
 fNcTDtF3RchADyVCxlqrRUkFj61dHxU+U5JRftyIliLltsy2Nlr4uAsxNX+tpAH2D2HLmjwx
 bV2fpTnFCVImtuo6ZqNZ8SMk1Xq0fBBdo3acBw42kL/qGIKS9x3NWEy8vsmQXn0QqNBd1Q62
 9ghm82mHMTRKnOXqkMgICpZ0HffPf3p7zMkEqWptgEHxE6ZHm9hJMGEf8RED9DCYh+N1uFaM
 7ndQPPFKlj80sGmNF9+01mO53hrxeL/WAdGox/STpTb2BDpiyrLdT/2R0vJNEfMxBBYlw1gc
 g8mPEwHwZ940/qql7e41TkDGUZa2a1WegKLj8hK1pgDDBptcdIvlvuk284jOZ2/jDyaBDsMf
 310OoJchJ3977odtSCArybQIwMjTx0rv6dqjsuqP89jqlrGV6izqf1n4p4FNrBSWOSRGaoWD
 JJVHL4YUhP44G5xDBCtp3TqatLa5F2Rgxj50EFIzOuu9Pg1tBCPP1G+0EiikVTdDkC63X4RG
Message-ID: <4c514db5-3f52-0e26-10dc-b7ed849da8d9@bluepopcorn.net>
Date: Wed, 22 Jul 2020 15:55:06 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0)
 Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <CAMSGcLAKowXYir-ueOaWxuPcESmCAQEW5OqeZmu0kq2Cpvxqtg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/GNN4iO5FxpaxhlAEoZ8iI0arE4U>
Subject: [dmarc-ietf] DMARC marketing
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting,
 and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>,
 <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>,
 <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jul 2020 22:55:15 -0000

This:

On 7/21/20 12:29 PM, Joseph Brennan wrote:
>
> My understanding of DMARC's purpose was to protect transactional
> messages from sources like banks, credit card issuers, online shopping
> venues, and the like. It supposed that those messages should pass only
> directly from the source to the end point, and that that was so
> important to security that transport through any intermediary should
> be rejected as possible forgery. For example my bank statements come
> from a different domain than mail from a person at the bank.

and:

On 7/21/20 1:17 AM, Laura Atkins wrote:
> But I would argue that much of the marketing and justification around
> DMARC has been around end users and improving their trust in brands
> and protecting them from phishing.=C2=A0
> [...]
>
> That is not how I=E2=80=99ve seen DMARC being sold. Most of the marketi=
ng I=E2=80=99ve
> seen about DMARC is all about user experience and the user being able
> to trust mail is =E2=80=9Cfrom who it claims to be from.=E2=80=9D And n=
ow people are
> explicitly layering on another protocol that is all about what the
> user sees in the MUA.

and also:

On 7/20/20 5:31 AM, Dotzero wrote:
> You have left out one significant way of convincing receiver domains
> and their admins. We used to have our CSRs (customer service) tell
> people who received spoof emails (resulting in phishing, malware
> compromise, etc.) from emails claiming to be from our domains that
> they should contact their mail provider or email admin because the
> problem could have been avoided if DMARC were being checked. We would
> even provide them with the details and a form with all the information
> in non-technical terms. It is amazing how quickly a provider pays
> attention when their customers/users are complaining to them that the
> provider could have prevented the heartache and grief but chose not
> to. Again, this was for domains sending transactional mail with only a
> limited number (intentionally) of role and support accounts.

These get to the heart of the problem: DMARC policy was designed for
official mail that is about business transactions. If that was the way
it is actually used, we wouldn't be having this problem. But it was
oversold, and it is being used in use cases (like on domains that have
mailing list users) that were not intended. I'm not convinced that this
is a problem that has a satisfactory technical solution.

-Jim