Re: [dmarc-ietf] list history, Signaling MLMs

[Jesse Thompson <zjt@fastmail.com>]

On Sat, Apr 15, 2023, at 12:07 PM, John Levine wrote:
> It appears that Jesse Thompson  <zjt@fastmail.com> said:
> >Why not turn off rewriting on this list, as an experiment? The hypothesis is that everyone will switch to Gmail and not tilt
> >at IETF, but instead they will tilt at their domain owners.
> 
> That's how we got here. A lot of IETF participants use mail systems
> that enforce DMARC policy (notably including Gmail) and we were
> getting a lot of complaints about lost mail, and a lot of work with
> people getting bounced off lists who list managers had to resubscribe.
> Barry says that even with our mitigations, we still have the latter problem.
> 
> We went through a long list of possible workarounds including several
> kinds of rewrites and several kinds of message wrapping. They all
> stauk but the one we picked, per-address rewrites for domains with
> DMARC policies, stunk less. The option we picked requires more control
> over the MTA than typical mailman or sympa installations have, so most
> people's options are worse.
> 
> I still don't understand the point of this argument. We all agree that
> DMARC causes damage to interoperability, but some people appear to be
> saying we should ignore it or pretend it doesn't exist because DMARC
> has other advantages. The honest thing to do is to describe both. 
> 
> Nobody thinks we're going to get Yahoo to turn off p=reject (they said
> at the time they turned it on that they don't care about mailing
> lists) but I think there's some hope we can get large mail systems to
> be more aware of the damage and use ARC or whatever to mitigate it.

I'm assuming that the "long list of stinky possible workarounds" are the existing "whatever" mitigations, and rewriting seems to be acceptable enough as a mitigation to convince large [enterprise] mail systems to move forward with restrictive policies. I intentionally published "p=quarantine pct=0" specifically to find the MLMs that implemented no mitigations, weighed that against what I knew about which receivers enforced non-mitigated mail, and then made a judgement call to move forward.

I believe Wei suggested that we need to find a better "whatever" (in the form of an alternative to SPF and DKIM that works with mailing lists) so that every domain, even those with members of the general publiic, may gain the benefits of DMARC. If an acceptable mitigation/auth-mechanism is established, does that mean DMARC will be revised to remove the "MUST NOT p=reject if general purpose"? Or is that going to be permanent?

How about this?:
"MUST NOT publish p=reject|quarantine if the domain owner, after examining the report data, has no means to mitigate all identified legitimate mail flow that which has no authenticated identifier aligned to the RFC5322.from domain. Mitigations may include arranging with all affected intermediaries and email sending providers to establish an aligned authenticated identifier, require the intermediary/ESP to use a different domain when sending this mail flow, or devise an alternative authentication mechanism outside the scope of this specification but is otherwise agreed upon by all affected parties."

Jesse