IETF Logo Mail Archive

Re: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM

Elizabeth Zwicky <zwicky@yahoo-inc.com> Tue, 02 April 2013 18:12 UTC

Return-Path: <zwicky@yahoo-inc.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8D0D21F8D14 for <dmarc@ietfa.amsl.com>; Tue, 2 Apr 2013 11:12:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -18.598
X-Spam-Level:
X-Spam-Status: No, score=-18.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RDNS_DOTCOM_HELO=0.001, RCVD_IN_DNSWL_LOW=-1, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wpkjQIRbjyNg for <dmarc@ietfa.amsl.com>; Tue, 2 Apr 2013 11:12:47 -0700 (PDT)
Received: from mrout1.yahoo.com (mrout1.yahoo.com [216.145.54.171]) by ietfa.amsl.com (Postfix) with ESMTP id 64CEA21F8D09 for <dmarc@ietf.org>; Tue, 2 Apr 2013 11:12:47 -0700 (PDT)
Received: from SP1-EX07CAS02.ds.corp.yahoo.com (sp1-ex07cas02.ds.corp.yahoo.com [216.252.116.138]) by mrout1.yahoo.com (8.14.4/8.14.4/y.out) with ESMTP id r32ICQKp005778 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=FAIL); Tue, 2 Apr 2013 11:12:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yahoo-inc.com; s=cobra; t=1364926347; bh=TX071Wl7S89bygm+RTtRcYf5dMmN1nVhclycvZnwgvU=; h=From:To:CC:Date:Subject:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version; b=isbAoTllWGczUbvJWeCXDERM6fGE6F/NdxZveij3JGOiZRRK2ZO4719mNd/wpeGlD avOms6qHaDz/whmw5fYaD9LNQkIS4/+Pqs7xbp13hNZ91Qr+2BGHv7BCpEXLRfK77Y 1AmfX6VX4vp1aFtV4Kg21I97599Ssi3J8B6wM6y4=
Received: from SP1-EX07VS01.ds.corp.yahoo.com ([216.252.116.136]) by SP1-EX07CAS02.ds.corp.yahoo.com ([216.252.116.167]) with mapi; Tue, 2 Apr 2013 11:12:26 -0700
From: Elizabeth Zwicky <zwicky@yahoo-inc.com>
To: "J. Gomez" <jgomez@seryrich.com>
Date: Tue, 02 Apr 2013 11:12:25 -0700
Thread-Topic: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM
Thread-Index: Ac4vzaDKZM/EssXmQ/6SYxGo3m/47A==
Message-ID: <172A8DBA-4A64-42E7-87FD-BE185DC2977F@yahoo-inc.com>
References: <77426B543150464AA3F30DF1A91365DE52EA0E87@ESV4-MBX01.linkedin.biz> <A8438ED880C643F1A05F78C36B0E16B3@fgsr.local>
In-Reply-To: <A8438ED880C643F1A05F78C36B0E16B3@fgsr.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Milter-Version: master.31+4-gbc07cd5+
X-CLX-ID: 926347003
Cc: "dmarc@ietf.org" <dmarc@ietf.org>
Subject: Re: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2013 18:12:48 -0000

On Apr 1, 2013, at 5:53 PM, J. Gomez wrote:

> 
> Ok, DMARC has been devised by brand-companies (Facebook, Linkedin, Big-Bank-X) and mailbox-providers (Hotmail, Yahoo, Gmail), I see that and I understand their needs to reliably exchange email policies. But there is more people in the email ecosystem, like for example cloud-services providers, who also happen to do email.

I note that Yahoo!, Google, and Microsoft are all, in fact, cloud-service providers in some form.  You can make the argument that Hotmail is not, it's only other parts of Microsoft, but Gmail and Yahoo! Mail both are. 

There are edge cases where a both option might be helpful -- I've talked to an Amazon customer who said that he had a case where his client required SPF to pass, which left him stuck configuring SPF so all of Amazon's cloud passed. This is a more compelling case than Terry's, since it can't be handled just by SPF configuration. It still could be handled by enforcement within Amazon.

The question is, "Which serves the community better, handling this within DMARC or forcing cloud providers to handle it internally?" and that's not a question where the answer is immediately clear. We know from private-channel experience that almost nobody uses this kind of option, and that people who try to often discover belatedly that they don't consistently get a double-pass everywhere they care about and back off. So there is some reason to believe that it is marginally useful and noticeably dangerous.

If it's really cheap to implement, or it's more useful than previously believed, because there's some large class of people who don't use private channel but have a phishing problem, then maybe it's worth giving people more chances to get things wrong. But accidentally blocking mail is the main failure mode of this kind of standard, so that's pretty intimidating. And not getting widespread, interoperable implementation is another big failure mode, and anything that complicates implementation also risks that. 

So there's a pretty high barrier to surmount in adding this kind of option. 

	Elizabeth

v2.23.0 | Report a Bug | By Email