Re: DMARC from the perspective of the listadmin of a bunch of SMALL community lists

Hector Santos <> Sat, 12 April 2014 22:09 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id DD9061A0250 for <>; Sat, 12 Apr 2014 15:09:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -99.503
X-Spam-Status: No, score=-99.503 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_16=0.6, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XLvdZvhELGH8 for <>; Sat, 12 Apr 2014 15:09:52 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id BDEAB1A01DF for <>; Sat, 12 Apr 2014 15:09:51 -0700 (PDT)
DKIM-Signature: v=1;; s=tms1; a=rsa-sha1; c=simple/relaxed; l=4499; t=1397340579; h=Received:Received: Received:Received:Message-ID:Date:From:Organization:To:Subject: List-ID; bh=HqJV14LX5nKt01RytM8n8j1IGkY=; b=v1sdAIgte5gKphVP4Fqw oX0dBHNsNwqG1kITKPKtpuGsVyoABXGVMp02X5xiV6X62LKHbSpx6TuplfJyPdJ7 oKqmh6mcRTZqYEs/IEXHZB233jeWLtcfkHPc7JHhgnOxE/5RBhFp1Y6NbY17fsGF mVWZucgQwZW/jWIkJB7umxY=
Received: by (Wildcat! SMTP Router v7.0.454.4) for; Sat, 12 Apr 2014 18:09:39 -0400
Authentication-Results:; dkim=pass header.s=tms1; adsp=pass policy=all;
Received: from ( []) by (Wildcat! SMTP v7.0.454.4) with ESMTP id 449158531.9010.3196; Sat, 12 Apr 2014 18:09:38 -0400
DKIM-Signature: v=1;; s=tms1; a=rsa-sha256; c=simple/relaxed; l=4499; t=1397340519; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=SreszKX LgD2nqyw3DGymZcKI2F+K12Waf7Jvv0tYhqE=; b=vbz5CJ6dafMQmrv13aH5ppY MMPtM3ZDRGbxFJGc8+3m14tKb2MR/lySBw+//TwiMFfklfD1OMAZVxQ0d2dRJVLk b7X+OAvG7j3gFIgMkb36teQvx6VwQ4RHRT4YpOqokfv6zM9qb91kuHTrYlIpLnsu S1XhTMXrCZ26357UDsz0=
Received: by (Wildcat! SMTP Router v7.0.454.4) for; Sat, 12 Apr 2014 18:08:39 -0400
Received: from [] ([]) by (Wildcat! SMTP v7.0.454.4) with ESMTP id 468694625.9.5520; Sat, 12 Apr 2014 18:08:37 -0400
Message-ID: <>
Date: Sat, 12 Apr 2014 18:09:44 -0400
From: Hector Santos <>
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Miles Fidelman <>,
Subject: Re: DMARC from the perspective of the listadmin of a bunch of SMALL community lists
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 12 Apr 2014 22:09:55 -0000

Miles, Bravo to you for being brave!! +100 on everything you said!!


n 4/12/2014 3:56 PM, Miles Fidelman wrote:
> Folks,
> We (really I) support perhaps 2 dozen small email lists, for a bunch
> of community groups (PTOs, churches, neighborhood groups) - mostly the
> legacy of previously running a small hosting firm, and still having
> the machines sitting in a data center.  The kinds of groups with lots
> of non-technical users who have email accounts on Yahoo, hotmail, AOL,
> Comcast, and such.  The lists range in size from tiny (5 person boards
> of directors) to maybe 1000 (high school parents).
> Yahoo's implementation of it's new DMARC policy has been an absolute
> disaster.  Kind of messes things up when a few days before tax filings
> are due, and in parallel with the Heartbleed mess, (not to mention the
> work that pays the bills), roughly 1/3 of the addresses on almost all
> of the lists start bouncing mail from yahoo addresses - particularly
> when yahoo's postmaster didn't have a clue what was going on (my
> initial thought was - oh heck, need to get back on their whitelist).
> Luckily gmail seems not to be honoring the Yahoo's p=reject policy, at
> least so far, or things would be a LOT worse.
> Still trying to figure out a reasonable fix for this, as it looks like
> lots of other listmasters are trying to do - and doesn't help that I'm
> running a less common list package (sympa).
> Anyway - one of my reactions to this is that something is really
> broken about the process by which DMARC and Yahoo's policy have been
> foisted on the larger Internet community - and in particular IETF's
> role or lack thereof.  Specifically:
> - DMARC is an ad-hoc group that assembled with a "common goal was to
> develop an operational specification to be introduced to the IETF for
> standardization"
> (
> - defines the "DMARC Base Specification" with a link to
> - an IETF
> document
> - the referenced document is an informational  Internet draft, that
> expires in October of this year, that starts with "This memo presents
> a proposal for a scalable mechanism by which a mail sending
> organization can express,.
> - It's also being presented as mature - through such publicity
> statements as "DMARC standard now protects almost two-thirds of the
> world's 3.3 billion consumer mailboxes worldwide"
> (
> In essence, DMARC is being represented as a mature, standards-track
> IETF specification - with the implication that it's been widely
> vetted, and is marching through the traditional experimental ->
> optional -> recommended -> mandatory steps that IETF standards go
> through.
> In reality:
> - DMARC was developed by a tiny number of people, all of whom work for
> very large ISPs
> - as far as I can tell, all input from the broader community - notably
> mailing list developers and operators was roundly ignored or dismissed
> (the transcript is really clear on this)
> - while DMARC is at least partially tested, deploying and honoring
> "p=reject" messages is brand new, and has wreaked tremendous damage
> across the net
> - as far as I can tell, those who are behind DMARC are taking the
> position "it's not our problem" (see discussions on
> and - and there is nary a
> Yahoo representative to be seen anywhere
>  From an operational perspective, this is akin to a large player
> publishing a corrupt nameserver database or routing update - and then
> actively resting attempts to clean up the mess (which, in effect is
> what Yahoo did by updating their DMARC record to p=reject).
> The situation strikes me as incredibly perverse and broken - the more
> so that the perpetrators are presenting this as blessed by the IETF
> standards process.
> It strikes me that IETF should weigh in on this in a formal fashion -
> if only to make it very clear that IETF is not responsible for this
> debacle, and perhaps to exert some moral influence on the perpetrators
> to back off and help clean up the mess they've created.
> On a broader scope - this sort of points out a really big hole in our
> consensus governance process - when one bad actor can inflict damage
> across the entire Internet, apparently, with impunity.
> Miles Fidelman