Re: [dmarc-ietf] IETF Mailing Lists and DMARC

[John C Klensin <john-ietf@jck.com>]

--On Thursday, November 03, 2016 14:24 -0400 "Andrew G. Malis"
<agmalis@gmail.com> wrote:

>...
>> And regarding Terry's previous paragraph, while I'm by no
means an
>> expert on DMARC (or mailman for that matter), a bit of
>> googling tells me that there are more recent versions of
>> mailman than what the IETF is currently using that support
>> DMARC mitigation. See, for example,
>> http://www.spamresource.com/2016/09/dmarc-support-in-mailman.h
>> tml . Hi Steve!
> 
> The site goes on to say:
> 
> "If you don't take any action here, you're leaving a subset of
> your potential subscribers out in the cold. Making them second
> class citizens, unable to participate in the mailing lists
> you're hosting. Be kind, and don't beat up Yahoo users because
> of a domain policy that Yahoo choose to implement (and that
> Yahoo user is stuck dealing with)."
> 
> I certainly agree with that sentiment. And it's not the
> DMARC WG that's responsible for IETF email list support,
> it's the admin staff at AMS that are the ones "caught in
> the middle".

Andy (and others), 

We are beginning to move away from protocols and toward
philosophy here.  Maybe that is as it should be, so, from the
perspective of someone who probably belongs on John Levine's
list of people who have been thinking about email for a really
long time, some observations.

First, we got here because a small collection of email service
providers got together and developed and deployed a piece of
protocol that, among other things, ignored the implications of
that protocol (or some of configurations that were possible with
it) for mailing lists as we have traditionally understood them.
I don't have any reason to believe it was relevant to their
decisions, but I note that the providers involved all run their
own "groups", "forums", etc., as an alternative to traditional
Internet email-based mailing lists.

Second, there are a number of aspects of our email architecture
that assume users have both a trust relationship with, and some
control over, their email service providers.  There are aspects
of POP3 and IMAP4 that make no sense without that assumption and
many antispam activities and actions would be serious violations
of the standards in the absence of that assumption.  Nothing
prevents a user from agreeing with a provider that, in return
for "free" email service, that provider gets the right to decide
what messages the user can receive or send, to scan messages for
content of interest (e.g., to determine user interests from
advertising purposes), to make unilateral decisions about
whether messages or message trace information should be revealed
to others, and to change the rules after that user is thoroughly
locked in.  

The IETF can't protect users from such agreements and we
probably shouldn't try even if we could.    That doesn't mean I
am willing to agree to that -- I won't and, if I ever decide to
outsource my mail services, it will be to someone to whom I pay
money and from whom I can get an appropriate SLA because free
lunches make me nervous.

One of the things that make the IETF community (and, I assume,
Ted's Linux developer community) different from the general user
community is that the proportion of people with attitudes like
mine is a lot higher than in that general population of Internet
users.  Another is that we get to assume a sufficient level of
clue to at least understand the tradeoffs mentioned above.

So, while "that [random] Yahoo user" has my sympathy, those who
want to participate in, and contribute to, the IETF get a lot
less of it if they can't figure out where to find and how to use
a mail system that conforms to our standards rather than
something made up by a handful of mail providers to serve their
own needs, no matter how many customers/ users/ victims they
have.

Finally, I'd like to suggest people who have been involved in
this debate think about something even if it seems far-fetched.
Suppose some vendors and/or ISPs got together and agreed on an
improvement to IP that would have the side effect of making
things better for their customers but worse for some others.
Would the IETF be scrambling around trying to modify IP to make
the pain for the non-customers somewhat less, perhaps in the
process helping to pressure other vendors and ISPs into
conforming to the "new" protocols?  We've got a partial answer
with ISPs giving preference to some content providers over
others with the "net neutrality" debate, something many of us
have recognized as an abuse of market power fundamentally
inconsistent with network principles, but the differences
between that case and the DMARC one may be less significant than
might appear at first glance.

I'm still looking forward to ARC and any other approaches that
move us forward with solutions to what I assume we all recognize
as a real problem.   But I think we need to be much more
cautious about "solutions" that make Internet mail work less
well as well as ones that mitigate problems in ways that may
retard real solutions.

    john