Re: DMARC from the perspective of the listadmin of a bunch of SMALL community lists

[Hector Santos <hsantos@isdg.net>]

Miles, Bravo to you for being brave!! +100 on everything you said!!

--
HLS

n 4/12/2014 3:56 PM, Miles Fidelman wrote:
> Folks,
>
> We (really I) support perhaps 2 dozen small email lists, for a bunch
> of community groups (PTOs, churches, neighborhood groups) - mostly the
> legacy of previously running a small hosting firm, and still having
> the machines sitting in a data center.  The kinds of groups with lots
> of non-technical users who have email accounts on Yahoo, hotmail, AOL,
> Comcast, and such.  The lists range in size from tiny (5 person boards
> of directors) to maybe 1000 (high school parents).
>
> Yahoo's implementation of it's new DMARC policy has been an absolute
> disaster.  Kind of messes things up when a few days before tax filings
> are due, and in parallel with the Heartbleed mess, (not to mention the
> work that pays the bills), roughly 1/3 of the addresses on almost all
> of the lists start bouncing mail from yahoo addresses - particularly
> when yahoo's postmaster didn't have a clue what was going on (my
> initial thought was - oh heck, need to get back on their whitelist).
> Luckily gmail seems not to be honoring the Yahoo's p=reject policy, at
> least so far, or things would be a LOT worse.
>
> Still trying to figure out a reasonable fix for this, as it looks like
> lots of other listmasters are trying to do - and doesn't help that I'm
> running a less common list package (sympa).
>
> Anyway - one of my reactions to this is that something is really
> broken about the process by which DMARC and Yahoo's policy have been
> foisted on the larger Internet community - and in particular IETF's
> role or lack thereof.  Specifically:
>
> - DMARC is an ad-hoc group that assembled with a "common goal was to
> develop an operational specification to be introduced to the IETF for
> standardization"
> (http://dmarc.org/about.html)
>
> - DMARC.org defines the "DMARC Base Specification" with a link to
> https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base/ - an IETF
> document
>
> - the referenced document is an informational  Internet draft, that
> expires in October of this year, that starts with "This memo presents
> a proposal for a scalable mechanism by which a mail sending
> organization can express,.
>
> - It's also being presented as mature - through such publicity
> statements as "DMARC standard now protects almost two-thirds of the
> world's 3.3 billion consumer mailboxes worldwide"
> (http://dmarc.org/news/press_release_20140218.html)
>
> In essence, DMARC is being represented as a mature, standards-track
> IETF specification - with the implication that it's been widely
> vetted, and is marching through the traditional experimental ->
> optional -> recommended -> mandatory steps that IETF standards go
> through.
>
> In reality:
> - DMARC was developed by a tiny number of people, all of whom work for
> very large ISPs
> - as far as I can tell, all input from the broader community - notably
> mailing list developers and operators was roundly ignored or dismissed
> (the transcript is really clear on this)
> - while DMARC is at least partially tested, deploying and honoring
> "p=reject" messages is brand new, and has wreaked tremendous damage
> across the net
> - as far as I can tell, those who are behind DMARC are taking the
> position "it's not our problem" (see discussions on
> dmarc-discuss@dmarc.org and dmarc@ietf.org) - and there is nary a
> Yahoo representative to be seen anywhere
>
>  From an operational perspective, this is akin to a large player
> publishing a corrupt nameserver database or routing update - and then
> actively resting attempts to clean up the mess (which, in effect is
> what Yahoo did by updating their DMARC record to p=reject).
>
> The situation strikes me as incredibly perverse and broken - the more
> so that the perpetrators are presenting this as blessed by the IETF
> standards process.
>
> It strikes me that IETF should weigh in on this in a formal fashion -
> if only to make it very clear that IETF is not responsible for this
> debacle, and perhaps to exert some moral influence on the perpetrators
> to back off and help clean up the mess they've created.
>
> On a broader scope - this sort of points out a really big hole in our
> consensus governance process - when one bad actor can inflict damage
> across the entire Internet, apparently, with impunity.
>
> Miles Fidelman