Re: [dmarc-ietf] PSD flag vs Version bump

[Richard Clayton <richard@highwayman.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In message <20230610210457.B4C22E924922@ary.qy>, John Levine
<johnl@taugh.com> writes

>We have two of the largest mail operators in the world saying that if
>they can't tell which org domain scheme domain expects, they won't
>implement the tree walk. We have to do something or we are wasting our
>time.

Clarity is everything ... reducing system complexity matters as well.

Removing the need to consult a (reasonably) current version of the PSL
matters a great deal, because even when operating at the scale that you
can have engineers (and further systems) monitoring for when this does
not happen is complexity that one would wish to dispose of.

ie the new tree walk is an improvement and not just because of the new
features it provides.

Domain owners can learn when the new treewalk is being used by
consulting aggregate reports...  domains that wish to use the features
the new treewalk provides may, in the fullness of time, start reaching
out to the recalcitrant.

For example, if you are gov.uk and running a special DNS system to make
the old approach provide some safety, you may want to turn that system
off, but you can only do that once mailbox provides have changed over.

Meantime the mailbox providers want to know if they are behind the curve
in using the new tree walk... tracking the DMARC records they fetch (or
looking at surveys by people who fetch and count them) will tell them if
domain owners know that things have changed.

Personally (and I am not writing on behalf of $DAYJOB$) I think that
signal "I know things have changed and am setting things up accordingly"
is most clearly sent by bumping the version number, rather than relying
on other more subtle syntax changes.

viz: the version number bump is a clear signal that domain owners know
what is going on (and is really easy to explain to them).

That signal tells mailbox providers which tree walk (and any other
changes) to use and when it is clear that we're into the long tail of
domain owners who have not heard the messaging then is the time to say
"well the new tree walk makes no difference" and delete the old code,
stop fetching the PSL and decommission the monitoring... the final step
is to ignore version 1 records completely (and signal that in aggregate
reports)...

I foresee almost no enthusiasm for running two systems in parallel in
perpetuity. Running the simpler __system__ is clearly better all round
but I do think that the fact that there are changes should be signalled
very clearly rather than deduced ... it will make the messaging to the
masses rather than the cognoscenti so much simpler.

- -- 
richard                                                   Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary 
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBZIT54d2nQQHFxEViEQJweACg4lDlD2TSRG8FoV/cmRtGRnKwVvYAnRpi
S+YOpSRfkBjQATjp3bmb0WXM
=1EKf
-----END PGP SIGNATURE-----