Re: Will mailing lists survive DMARC?

["Livingood, Jason" <Jason_Livingood@cable.comcast.com>]

FWIW, we at Comcast just posted on this subject on our Postmaster page at http://postmaster.comcast.net/dmarcupdate.html.

- Jason

Pasted here as well:
Background

Comcast recently emplemented the Domain-based Authentication, Reporting, and Conformance (DMARC)<http://dmarc.org/> specification as a new way to help prevent phishing messages from reaching our customers’ mailboxes. DMARC enables a domain to publicly indicate (via DNS) what action should be taken for mail claiming to be from that domain that does not pass authentication and get reports about phishing and spam messages that did not come from approved mail servers.

Recent History
Recently, the policies that AOL and Yahoo published instructed mail servers that use DMARC to reject mail if it claims to be from aol.com or yahoo.com but failed authentication – meaning the mail did not originate from an approved mail server run by AOL or Yahoo, respectively. This has reportedly caused issues for some people using AOL or Yahoo addresses with email discussion lists and other mail sending tools. More information from AOL was posted here<http://postmaster-blog.aol.com/2014/04/22/aol-mail-updates-dmarc-policy-to-reject/>.

While AOL and Yahoo may be addressing spam and phishing issues in making this change, it does not yet appear to be typical DMARC usage. We have been asked whether Comcast plans to make similar changes soon, and we can confirm we have no such plans.

Comcast’s Future DMARC Plans
To help us improve our detection of those who use the comcast.net domain maliciously we have published a DMARC record for comcast.net, but that change WILL NOT disrupt legitimate messaging. This policy will not ask other services to reject messages that did not originate from us, but rather report those instances to us for research. We will also publish DMARC reject policies in the coming months for the domains used by our Xfinity Billing, Xfinity Home, and Customer Security Assurance notifications. These originate from specific domains and servers that we maintain. This will not negatively affect email discussion lists but will help us prevent some of phishing messages that might attempt to target our customers.

If You Have Been Negatively Affected by AOL’s and Yahoo’s Changes
If you are an Xfinity Internet customer, use an AOL or Yahoo email account regularly, and are having problems getting email from email discussion lists or other tools at those addresses, we invite you consider activating or using your comcast.net email account.

To signup, add, or change your email account - Click Here<http://customer.comcast.com/help-and-support/internet/stay-connected-with-email/>

Once your email address is registered, you can access it in several ways:
For webmail users - Click Here<http://customer.comcast.com/help-and-support/internet/using-xfinity-connect-for-comcast-email/>
For email client users - Click Here<http://customer.comcast.com/help-and-support/internet/email-client-programs-with-xfinity-email/>
For mobile email users - Click Here<http://customer.comcast.com/help-and-support/internet/comcast-email-mobile-devices/>


On 4/29/14, 10:39 AM, "John C Klensin" <john-ietf@jck.com<mailto:john-ietf@jck.com>> wrote:

An odd, and somewhat nasty, thought...

So far, the two organizations (at least of which I'm aware) that
have made more or less public announcements of their intentions
to use the sort of restrictive policies that cause mailing list
problems are not only large providers of email but also large
providers of online forums, social group discussions, etc.  So
are several of the other member-contributor organizations to
dmarc.org.  As far as can be observed from the outside, those
forums and discussion groups make considerable contributions to
the bottom lines of those providers -- in most cases, they allow
those organizations to sell advertising and/or to sell their
users and their interest profiles to advertisers.   Email, by
contrast, is typically a service they provide in conjunction
with those other services but is not, itself, generally a profit
center.

For many of the users and uses of the extended Internet, mailing
lists are the historical predecessor, and sometimes a
contemporary alternative, to those forums and centralized
"social network" discussions.

If one examines those relationships, there is a case to be made
that the problems they cause to mailing lists is not "collateral
damage" at all.  Even if the effects were discovered by
accident, continued use of DMARC with restrictive policies has
the consequence of driving traffic away from mailing lists,
perhaps especially mailing lists operated by smaller providers
and non-profits, toward use of the for-profit systems operated
by those same (to quote another recent comment) "too big to
ignore" operators with a positive effect on their bottom line to
the detriment of  other operators and ways of doing things.

Behaviors by large ("dominant", "too big to ignore", etc.)
industry actors that have the effect of driving alternate
solutions or providers out by mechanisms other than fair
competition in the marketplace, especially when those mechanisms
come out of collaborations among such actors, are, if other
conditions are met, rather seriously illegal in many countries.
If intent can be demonstrated, they are even more so.

So, as a purely hypothetical set of questions (I am not
recommending anything), I wonder what would happen if some of
the people who have been claiming they or the general public are
harmed by this would, instead of asking what the IETF can do
about something that is not an IETF Standard, went to their
local "competitiveness" or "antitrust" authorities, explained
the situation and started complaining?   I also wonder whether
the IETF and ISOC have, or should seek, legal advice about how
to keep adequate distance between themselves and this situation
should some relevant jurisdiction initiate an investigation or
enforcement action.

Just curious.
    john