Re: DMARC from the perspective of the listadmin of a bunch of SMALL community lists

Hector Santos <hsantos@isdg.net> Sat, 12 April 2014 22:09 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD9061A0250 for <ietf@ietfa.amsl.com>; Sat, 12 Apr 2014 15:09:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.503
X-Spam-Level:
X-Spam-Status: No, score=-99.503 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_16=0.6, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XLvdZvhELGH8 for <ietf@ietfa.amsl.com>; Sat, 12 Apr 2014 15:09:52 -0700 (PDT)
Received: from mail.catinthebox.net (mail.catinthebox.net [208.247.131.9]) by ietfa.amsl.com (Postfix) with ESMTP id BDEAB1A01DF for <ietf@ietf.org>; Sat, 12 Apr 2014 15:09:51 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=4499; t=1397340579; h=Received:Received: Received:Received:Message-ID:Date:From:Organization:To:Subject: List-ID; bh=HqJV14LX5nKt01RytM8n8j1IGkY=; b=v1sdAIgte5gKphVP4Fqw oX0dBHNsNwqG1kITKPKtpuGsVyoABXGVMp02X5xiV6X62LKHbSpx6TuplfJyPdJ7 oKqmh6mcRTZqYEs/IEXHZB233jeWLtcfkHPc7JHhgnOxE/5RBhFp1Y6NbY17fsGF mVWZucgQwZW/jWIkJB7umxY=
Received: by winserver.com (Wildcat! SMTP Router v7.0.454.4) for ietf@ietf.org; Sat, 12 Apr 2014 18:09:39 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=pass policy=all author.d=isdg.net asl.d=beta.winserver.com;
Received: from beta.winserver.com (hector.wildcatblog.com [208.247.131.23]) by winserver.com (Wildcat! SMTP v7.0.454.4) with ESMTP id 449158531.9010.3196; Sat, 12 Apr 2014 18:09:38 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=4499; t=1397340519; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=SreszKX LgD2nqyw3DGymZcKI2F+K12Waf7Jvv0tYhqE=; b=vbz5CJ6dafMQmrv13aH5ppY MMPtM3ZDRGbxFJGc8+3m14tKb2MR/lySBw+//TwiMFfklfD1OMAZVxQ0d2dRJVLk b7X+OAvG7j3gFIgMkb36teQvx6VwQ4RHRT4YpOqokfv6zM9qb91kuHTrYlIpLnsu S1XhTMXrCZ26357UDsz0=
Received: by beta.winserver.com (Wildcat! SMTP Router v7.0.454.4) for ietf@ietf.org; Sat, 12 Apr 2014 18:08:39 -0400
Received: from [192.168.1.2] ([99.121.4.27]) by beta.winserver.com (Wildcat! SMTP v7.0.454.4) with ESMTP id 468694625.9.5520; Sat, 12 Apr 2014 18:08:37 -0400
Message-ID: <5349B9A8.2090900@isdg.net>
Date: Sat, 12 Apr 2014 18:09:44 -0400
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Miles Fidelman <mfidelman@meetinghouse.net>, ietf@ietf.org
Subject: Re: DMARC from the perspective of the listadmin of a bunch of SMALL community lists
References: <53499A5E.9020805@meetinghouse.net>
In-Reply-To: <53499A5E.9020805@meetinghouse.net>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/1YxeLf30r449aj_0416PeinjkDg
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Apr 2014 22:09:55 -0000

Miles, Bravo to you for being brave!! +100 on everything you said!!

--
HLS

n 4/12/2014 3:56 PM, Miles Fidelman wrote:
> Folks,
>
> We (really I) support perhaps 2 dozen small email lists, for a bunch
> of community groups (PTOs, churches, neighborhood groups) - mostly the
> legacy of previously running a small hosting firm, and still having
> the machines sitting in a data center.  The kinds of groups with lots
> of non-technical users who have email accounts on Yahoo, hotmail, AOL,
> Comcast, and such.  The lists range in size from tiny (5 person boards
> of directors) to maybe 1000 (high school parents).
>
> Yahoo's implementation of it's new DMARC policy has been an absolute
> disaster.  Kind of messes things up when a few days before tax filings
> are due, and in parallel with the Heartbleed mess, (not to mention the
> work that pays the bills), roughly 1/3 of the addresses on almost all
> of the lists start bouncing mail from yahoo addresses - particularly
> when yahoo's postmaster didn't have a clue what was going on (my
> initial thought was - oh heck, need to get back on their whitelist).
> Luckily gmail seems not to be honoring the Yahoo's p=reject policy, at
> least so far, or things would be a LOT worse.
>
> Still trying to figure out a reasonable fix for this, as it looks like
> lots of other listmasters are trying to do - and doesn't help that I'm
> running a less common list package (sympa).
>
> Anyway - one of my reactions to this is that something is really
> broken about the process by which DMARC and Yahoo's policy have been
> foisted on the larger Internet community - and in particular IETF's
> role or lack thereof.  Specifically:
>
> - DMARC is an ad-hoc group that assembled with a "common goal was to
> develop an operational specification to be introduced to the IETF for
> standardization"
> (http://dmarc.org/about.html)
>
> - DMARC.org defines the "DMARC Base Specification" with a link to
> https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base/ - an IETF
> document
>
> - the referenced document is an informational  Internet draft, that
> expires in October of this year, that starts with "This memo presents
> a proposal for a scalable mechanism by which a mail sending
> organization can express,.
>
> - It's also being presented as mature - through such publicity
> statements as "DMARC standard now protects almost two-thirds of the
> world's 3.3 billion consumer mailboxes worldwide"
> (http://dmarc.org/news/press_release_20140218.html)
>
> In essence, DMARC is being represented as a mature, standards-track
> IETF specification - with the implication that it's been widely
> vetted, and is marching through the traditional experimental ->
> optional -> recommended -> mandatory steps that IETF standards go
> through.
>
> In reality:
> - DMARC was developed by a tiny number of people, all of whom work for
> very large ISPs
> - as far as I can tell, all input from the broader community - notably
> mailing list developers and operators was roundly ignored or dismissed
> (the transcript is really clear on this)
> - while DMARC is at least partially tested, deploying and honoring
> "p=reject" messages is brand new, and has wreaked tremendous damage
> across the net
> - as far as I can tell, those who are behind DMARC are taking the
> position "it's not our problem" (see discussions on
> dmarc-discuss@dmarc.org and dmarc@ietf.org) - and there is nary a
> Yahoo representative to be seen anywhere
>
>  From an operational perspective, this is akin to a large player
> publishing a corrupt nameserver database or routing update - and then
> actively resting attempts to clean up the mess (which, in effect is
> what Yahoo did by updating their DMARC record to p=reject).
>
> The situation strikes me as incredibly perverse and broken - the more
> so that the perpetrators are presenting this as blessed by the IETF
> standards process.
>
> It strikes me that IETF should weigh in on this in a formal fashion -
> if only to make it very clear that IETF is not responsible for this
> debacle, and perhaps to exert some moral influence on the perpetrators
> to back off and help clean up the mess they've created.
>
> On a broader scope - this sort of points out a really big hole in our
> consensus governance process - when one bad actor can inflict damage
> across the entire Internet, apparently, with impunity.
>
> Miles Fidelman