Re: [dmarc-ietf] third party authorization, not, was non-mailing list

Laura Atkins <laura@wordtothewise.com> Tue, 25 August 2020 09:47 UTC

Return-Path: <laura@wordtothewise.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF4513A0BE6 for <dmarc@ietfa.amsl.com>; Tue, 25 Aug 2020 02:47:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wordtothewise.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T0iAeEfm6BiK for <dmarc@ietfa.amsl.com>; Tue, 25 Aug 2020 02:47:42 -0700 (PDT)
Received: from mail.wordtothewise.com (mail.wordtothewise.com [104.225.223.158]) by ietfa.amsl.com (Postfix) with ESMTP id F12973A0BF4 for <dmarc@ietf.org>; Tue, 25 Aug 2020 02:47:41 -0700 (PDT)
Received: from [192.168.0.227] (unknown [37.228.245.144]) by mail.wordtothewise.com (Postfix) with ESMTPSA id BE0BA9F1F7 for <dmarc@ietf.org>; Tue, 25 Aug 2020 02:47:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wordtothewise.com; s=aardvark; t=1598348861; bh=udunT6kJkdSLjnjPLZDl6ZjlMLGS9OqMlDBcs2ZejJ0=; h=From:Subject:Date:References:To:In-Reply-To:From; b=GApbsyZ1/q9pJzH2xrabnKBpEEDOS5wc5JVQEoRf0FWqmTzunjh+w8eCq9/yrMJYx /ZhYbw06N2TfQBDsBqpIkcIchgk5/ePZRmMjorRDWJW5KHwGgPwxx4SCISJfPeLqA4 FRWRN8hzYcL2+8jHkKYjF+sbVpJaET0BJVmphZxY=
From: Laura Atkins <laura@wordtothewise.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_BA8B773A-2237-4346-AC9C-A5B133320AE2"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Tue, 25 Aug 2020 10:47:38 +0100
References: <20200810172411.A13681E7CD8B@ary.local> <7e9326fc-ae27-d4bd-9f2b-9896da8320f1@dcrocker.net> <CAL0qLwacyBbJscEM_a4-nvugO0HBaSAdPqUPkfYYOOb++cOjQQ@mail.gmail.com> <5F396A77.3000109@isdg.net> <CAL0qLwYaqsU-U8yTcr5_cw0LmEomz8JbqUXuWNJ-bnkN6ceXyA@mail.gmail.com> <21110e7f-ea60-66d6-c2fb-65b716a049a9@tana.it> <CABuGu1qdZdXBSsAwCvk4244szskz6Pf9x83kRUGd8jHDafEMGQ@mail.gmail.com> <CAL0qLwYY8ZWq4k3wobOgSJSVnabsefPRiCtcVPrb_iF1JEUZag@mail.gmail.com> <5d4e48f86ca7479ab4889ddff57a2870@bayviewphysicians.com> <6c7c2ad9-8a7e-e44c-6b2f-559129f70a9d@tana.it> <CAL0qLwb-SG-dsNkiiGtYkUz_AwsZSd6f5cKFX07Kzme5iXoZJA@mail.gmail.com> <F37D57E3-C55B-41EB-B4BE-328E40F73E81@eudaemon.net> <CABa8R6sUoyaa8sMJVOCnUUuH=g--2PSNQ-eLhVuW5NorzcQvqA@mail.gmail.com> <CAL0qLwY_zgLrQo=25kMi=3Qe4b_=BNY_u4qz4V13UwKrL8x-KQ@mail.gmail.com> <5e1469f9af1347569cac199ea9318d54@bayviewphysicians.com>
To: "dmarc@ietf.org" <dmarc@ietf.org>
In-Reply-To: <5e1469f9af1347569cac199ea9318d54@bayviewphysicians.com>
Message-Id: <58F823DC-05C6-4036-BE4B-70BACB9ED0A4@wordtothewise.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/pTexgzkcfBPcwI06J-Lf8U5AD2Q>
Subject: Re: [dmarc-ietf] third party authorization, not, was non-mailing list
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Aug 2020 09:47:44 -0000


> On 24 Aug 2020, at 23:34, Douglas E. Foster <fosterd=40bayviewphysicians.com@dmarc.ietf.org> wrote:
> 
> Something seems inconsistent:
> 
> - The people who have implemented DMARC do not see any significant problems, and as a result they are not interested in a third-party authorization scheme.
> 
> - Yet adoption is very slow, especially for anything other than p=none
> 
> Are we to assume that mailing list compatibility explains the slow adoption?   If not, what other obstacles do we need to be considering?

I don’t believe mailing list compatibility is a primary reason for slow adoption, although I do think it’s a contributing factor. To my mind the biggest obstacle to adoption of restrictive policies is the expense of implementation and the lack of return for that investment. 

Implementing DMARC, particularly for larger companies who want to do it correctly, is expensive and resource intensive. It is a multi-month process to identify all the legitimate sources of mail, create alignment or move vendors and set up the correct reporting mechanism. You can, and I do recommend, outsource this to one of the vendors who does this well. Not every company outsources or has the resources to do this correctly internally. A client from last year was told they had less than a week to go from no DMARC to p=reject. Unfortunately, the IT directive came with nothing more than a “publish v=DMARC1; p=reject in your DNS.” Client lost days worth of mail due to a lack of direct alignment even though they were using their own domains in SPF and DKIM. Checking now, client still isn’t collecting reports, but has backed down to p=quarantine. 

A restrictive DMARC record requires a large, up-front commitment of resources. It also requires ongoing resources for monitoring and understanding the reports and the ability to be able to address any problems that show up in the reports. 

For a lot of companies, the benefit to publishing restrictive DMARC policy is minor. It stops bad guys from directly forging their domain, but doesn’t stop your brand being phished or your executives from being spear phished using cousin domains or taking advantage of the 5322.from comment. It also disrupts normal business processes as we’ve been discussing on the list here. To borrow an example from John Levine, a restrictive DMARC policy is preventing employees at a large company from participating in industry specific mailing lists; participation which is part of their actual job. 

I believe a lot of the very slow adoption is folks inside companies looking at the cost of implementing restrictive DMARC records and the benefits to implementing restrictive DMARC records and deciding there just isn’t enough benefit to justify the expense. BIMI is an attempt to bring more benefit to the table, but I’m not sure even that is enough to justify the overall expense to a lot of corporations. 

laura 

-- 
Having an Email Crisis?  We can help! 800 823-9674 

Laura Atkins
Word to the Wise
laura@wordtothewise.com
(650) 437-0741		

Email Delivery Blog: https://wordtothewise.com/blog