Re: [dmarc-ietf] Call for Adoption: DMARC Use of the RFC5322.Sender Header Field

["Douglas E. Foster" <fosterd@bayviewphysicians.com>]

Based on the discussions here, it appears that the notion of From address validation was envisioned from the beginning Sender Authentication discussions.    We have written evidence that Form address validation was anticipated in the DKIM and ATPS RFCs prior to DMARC.    So we have more than a decade of warnings that From address validation was coming.   While not everybody has time to read every RFC, the Mailing List trade press must have should have been reporting on it as something to watch.

Even after DMARC was in use, it appears that nobody in the mailing list community felt inconvenienced until the AOL/Yahoo hack and their decision to implement DMARC with p=reject.   This was the moment of Unhappy Surprise.    Bad guys had obtained many valid email addresses, so one of the concerns was how to prevent them from spoofing those users to send spam.   They could not use those address in the SMTP address because of SPF, but only DMARC could prevent those addresses from being misused in the Message From address.     It was the obvious thing to do and it would have been reckless for them to do otherwise.   Can you at least admit that the mailing list community was surprised because they failed to prepare for this contingency?   

But that moment is now in the rear view mirror.    Mailing lists can get delivery to all subscribers by confirming to the requirements of the DMARC-participating domains, by using their own domain in the From address, at least for those domains.    I assume that there are still mailing list operation that are not unable to comply with DMARC-participant expectations, because they have failed to upgrade.   But an individual organization’s failure to adapt is not a problem worthy of a standards body.   I liked XP just fine and hated Vista, like Windows7 OK but hated Windows 8.   But Microsoft killed support for XP and Windows 7 and my organization is adapting.    Life is unfair.  COVID-19 is unfair and has caused a lot of problems.   Every organization has problems, and we all have jobs so that we can help solve them.    The time to cry in your beer is over.  Mailing lists have a interoperability solution, and they should use it whether they like it or not, because that is what is necessary to get their mail delivered according to the requirements of the recipient organization.    As a result, mailing list operators really have no standing in this discussion, although they can certainly speak as unhappy individual users and on behalf of their unhappy users.  

Consequently, the real problem before us becomes the existence of users who are unhappy because the From address on some mail does not meet their preferences.    I have to ask why that is a problem worthy of a standards body?     I have about 8 different scenarios in my head where a user might be have unmet expectations with the format of the From address, or might experience mailing list deliverability problems because of the email filtering policy of its domain relative to the addressing practices of his mailing list.   If our requirement is to make every user happy, shall we head down the path of all 8 problems, not just this one?

This project was supposed to discuss moving DMARC from informational to standards track.   It has been hijacked by those who, to paraphrase Shakespeare, “have not come to praise DMARC, but to bury it.”   This has been abetted by the chair’s assertion that we must square a circle – meet the MLs requirement for them to impersonate without authorization while continuing to advance the DMARC requirement to prohibit impersonation without authorization.

As part of that hijacking, we have been inundated by Mr. Crocker’s assertions that the message From Address does not matter.  All the years of theoretical analysis that preceded DMARC and all of the operational success from implementations of DMARC are just wrong, simply because he says so.   Worse yet, he asserts without justification that the message From address should be unimportant to everybody except mailing list subscribers, for the simple reason that the Message From is so very important to his Mailing List subscribers.   It is comparable to asserting that the earth is flat, for everyone except astronauts.    This is sheer nonsense.

More importantly, this discussion has failed to address the actual objective, which is to solve the asserted Mailing List problem as it relates to AOL/Yahoo/Verizon.   That enterprise does not seem to be involved in this process, and no one has offered reason why they will be swayed by anything said here.    The strategy seems to be that if we tell these people how stupid they are, that they will do whatever we tell them they must do, even if the solution is to weaken security for everyone on the Internet.    That is not a winning strategy.

DMARC has been mandated by at least three national governments,, by a variety of businesses, and by this one consumer-oriented email hosting service.   It is here to stay, and any extensions to the specification will need to improve security, not weaken it for the benefit of a special interest group.

Instead, we should be anticipating that the U.S. government will begin mandating DMARC for its contractors, in phases based on contractor categories.    Simply requiring it for Department of Defense contractors would be sufficient to include most of the major research-oriented universities.   But every school that takes student loan payments is also considered a government contractor, which covers almost all of them.    Every branch of state and local government also feeds from the federal trough, and concerns about election meddling means that they are likely targets for voluntary or required implementation of DMARC.   Essentially every health care institution is also a government contractor, because they take payments from Medicare or Medicaid, usually both.

It is time to begin a discussion rooted in what is feasible, and what is appropriate for IETF to undertake.

 

----------------------------------------
From: "Murray S. Kucherawy" <superuser@gmail.com>
Sent: 8/15/20 5:02 AM
To: Alessandro Vesely <vesely@tana.it>
Cc: IETF DMARC WG <dmarc@ietf.org>, John Levine <johnl@taugh.com>, Dotzero <dotzero@gmail.com>
Subject: Re: [dmarc-ietf] Call for Adoption: DMARC Use of the RFC5322.Sender Header Field
Emphatically hatless:

On Sat, Aug 15, 2020 at 12:47 AM Alessandro Vesely <vesely@tana.it> wrote:
>> Lists have been around a lot longer than DMARC has.

That doesn't grant lists any extra right.  Others consider current
global usage as a priority gauge.

This line of thinking has bothered me for a long time.

Imagine you're a large soft drink manufacturer.  Your delicious, popular product is sold in grocery stores the world over, sometimes directly from your production line, sometimes via a local reseller.  Your sales team does one or the other depending on the use case.  Business has been good for a generation or two.  One day you decide you don't like resellers anymore because some of them mis-promote your product, so you somehow arrange that the cans in the stores that passed through resellers suddenly and randomly begin invalidating themselves by bursting, making a mess of the store and soaking customers.  Other products nearby are also ruined.  This reflects poorly on the resellers, some of whom are forced to stop doing business with you.  Stores get angry and are forced to reconsider doing business with you as well, but you're big and popular and so many of them have to deal with your mess on an ongoing basis.  Many customers take their business elsewhere; the stores suffer.

The argument here appears to be that is that this is justified, because the ecosystem of manufacturers, grocery stores, resellers, and customers that has existed for as long as you can remember has no right to operate that way if you suddenly decide you don't want it to; it's your brand, and your word about your brand is final irrespective of how you choose to enforce it.  You're suddenly, for reasons you feel are legitimate, asserting that the ecosystem was broken to begin with despite the fact that you've been a willing participant for decades, and therefore you are at liberty to disrupt it (though, admittedly, you may have been unaware of the blast radius of doing so).

Now, you may be right that the ecosystem was built on the incorrect premise that domain names don't need to be treated as sacrosanct.  (Let's ignore for the moment the stuff about hindsight.)  But that assertion clearly differs from the well-established foundation upon which a great deal rests today.  It is far from trivial to change that now.  It's possible to do, to be sure, but dropping it into the world overnight has a hugely disruptive impact.  Such a change needs to be an evolution, with the cooperation and collaboration of a preponderance of the participants, not a philosophical light switch you get to throw and expect everyone else to conform.

I don't want any more soda on me.

Why people's mailboxes must be spoofable?

I don't know about "must", but changing the fundamental assumption that it's acceptable in some cases for X to pretend to be Y (which is what MLMs do), at X's discretion, is a tectonic change that should have been rolled out with more community collaboration and grace than it was.  I think we need to be more considerate of that fact if there is to be progress.

Syllogism goes like so:  Mailing list must not accept strict DMARC
policies, humans may happen to use mailing lists, therefore email
domains which hosts mailboxes used by humans must not publish strict
DMARC policies.  Is that really what we seek?  I hope not.

It is our current reality, and in my humble opinion, we've nobody to blame but ourselves.

-MSK, participating.