IETF Logo Mail Archive

Re: Will mailing lists survive DMARC?

"John Levine" <johnl@taugh.com> Tue, 29 April 2014 17:56 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF92A1A0949 for <ietf@ietfa.amsl.com>; Tue, 29 Apr 2014 10:56:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.243
X-Spam-Level: **
X-Spam-Status: No, score=2.243 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, J_CHICKENPOX_110=0.6, J_CHICKENPOX_16=0.6, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id en7_1gZSeHwd for <ietf@ietfa.amsl.com>; Tue, 29 Apr 2014 10:56:30 -0700 (PDT)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) by ietfa.amsl.com (Postfix) with ESMTP id 6BCF31A08DB for <ietf@ietf.org>; Tue, 29 Apr 2014 10:56:30 -0700 (PDT)
Received: (qmail 72014 invoked from network); 29 Apr 2014 17:56:28 -0000
Received: from miucha.iecc.com (64.57.183.18) by mail1.iecc.com with QMQP; 29 Apr 2014 17:56:28 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=b29.535fe7cc.k1404; i=johnl@user.iecc.com; bh=ejEqWrfhAhgkjacB/WsGq6JKXrNseb6NfWpFdKqLhXs=; b=YyIYdKlxcpuGLagolGPJMKKXRTdBQm4IR+zyVKB2A6ZQw+RqKzQZCCdNnWWdY5vXETCiWYKX4d2L0mt5+WWCGVG6sQB4ETuyCU+RWBhY73MJD6ce+NmH1kEc3RW0Y62LEUOQkDgGxvFoQWWAb3rBWD4vwjJYf7C4jQ1zUlIjB8W/G+cjsvHt0TQqKqAcGaF1GCZnm+gQkIYlporaDbH+SXOHfXAw758U1KtsRFo1hdCRl0p4FSmQEBOj5wcyNAxO
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=b29.535fe7cc.k1404; olt=johnl@user.iecc.com; bh=ejEqWrfhAhgkjacB/WsGq6JKXrNseb6NfWpFdKqLhXs=; b=pWO3Sv7ZQYwLHKns+k8ezRzF6cqgFSKBYK50whLRQZTKN8SUtE/ZhfVnBlSaYFcSVVlq4FpTlOOnj6/lpMfvmkl5Q2tH008CrJuMmXqkuRBLAFdEw623YGYX8FtQe0e3bcaITZPYtqLkfoJwxmQHlUVs6DTVfBR6euFe9UkkrzH8CKGb3uM5Xvjsft6Pp//QacofLwb/o+KVpWXT6BoShn8mYjVYaeaPsyrTdpO1jRluy51aziGVrXMa0fTKyIBV
Date: Tue, 29 Apr 2014 17:56:06 -0000
Message-ID: <20140429175606.2856.qmail@joyce.lan>
From: John Levine <johnl@taugh.com>
To: ietf@ietf.org
Subject: Re: Will mailing lists survive DMARC?
In-Reply-To: <6778109B-953A-45F4-92C9-1543E80A7F9C@frobbit.se>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/8TplYDhposjX_W0kcuDLnDC99sg
Cc: paf@frobbit.se
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Apr 2014 17:56:31 -0000

>The problem exists if A is publishing such a policy, B is acknowledging the policy, B is
>generating a bounce, and the bounce is hitting the mailing list provider.
>
>I do not understand why a bounce should be generated (and not the incoming mail to B would
>be tagged as spam and/or null-routed).

DMARC lets you say p=reject or p=quarantine.  For whatever reason, AOL
and Yahoo are saying reject.  Using that p=quarantine would be nearly
as bad, with list mail eternally vanishing into spam folders.

>That said, the result of the above is that B is unsubscribed from the mailing list due to
>large number of bounces, but that is because B is recognizing the policy A is publishing.

Yes, but there are complicating factors.

One is that it's entirely possible to use DMARC responsibly.  It's
been around for a year, domains like paypal.com have published
p=reject, with no problems because nobody sends real paypal.com mail
via mailing lists or mail-an-article or the other stuff that is broken
by DMARC reject.

What changed is that two of the largest consumer mail providers had
huge security breaches where crooks stole user info including their
address books (both admit it, no conspiracizing needed) and used DMARC
as a sledgehammer to try and mitigate the damage.  I don't think
anyone is opposed to mitigating damage, but these particular efforts
had the predictable side effect of dumping costs on unrelated third
parties which AOL and Yahoo have so far done nothing to address.
Yahoo's blog admits that they are affecting 30,000 other providers, so
they know this is not a trivial problem.

Finally, the DMARC group includes the largest mail providers in the
world (I've seen DMARC bounces from Gmail, Yahoo, Hotmail, AOL, and
Comcast), who have such a large market share and so much market power
that it is not realistic to exclude users at those providers and tell
them to take their business elsewhere, no matter how well deserved
that advice might be.

R's,
John

v2.23.0 | Report a Bug | By Email