Re: "why I quit writing internet standards"

Douglas Otis <> Sun, 20 April 2014 23:12 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id DBB471A007B for <>; Sun, 20 Apr 2014 16:12:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 818b2FM_ifrv for <>; Sun, 20 Apr 2014 16:12:12 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400e:c01::235]) by (Postfix) with ESMTP id 23A451A0072 for <>; Sun, 20 Apr 2014 16:12:12 -0700 (PDT)
Received: by with SMTP id rp16so3126014pbb.12 for <>; Sun, 20 Apr 2014 16:12:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=CzX+ZHqXdpBlQeBucrih+1vq9k1gxRn21XY/YA9y4Jw=; b=VbynKQDJXZehgFfb3sBQKnA0RXzyLlSbhTv68DSKU6lTBB6mFmAytUgCxmajV2Kthm e62a7wH5OBj6QORL/x41s8c0pHMYtfEhetvd3ulmxoym2RdzM26CNECpeb2IH8evgmRR 7V+v0lodtwxBYpRBroD4JbQ1GtgE9Tn6cPlQF4jpUW/W6nNxBTiia8F1N6zs5cXNzJMk bcBtPNwRfQpaqXyDq4uTE+AMl7QR8q6Iw3gQKStOq5+CosN+SLfgFVMi1bp4r2fNwlFP yWm+PBuZijsndpah/VPBd0+QZ8vehnWYCBAKCM8DkW/mmFGxeM/XeLuo+v0sM3hCTHhx Rc0Q==
X-Received: by with SMTP id pk6mr34916360pac.9.1398035527486; Sun, 20 Apr 2014 16:12:07 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id my6sm73864398pbc.36.2014. for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 20 Apr 2014 16:12:05 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
Subject: Re: "why I quit writing internet standards"
From: Douglas Otis <>
In-Reply-To: <>
Date: Sun, 20 Apr 2014 16:12:11 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <4756885.Eo3b3po9Vj@scott-latitude-e6320> <> <> <>
To: Hector Santos <>
X-Mailer: Apple Mail (2.1874)
Cc: Scott Kitterman <>, Dave Crocker <>,
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 20 Apr 2014 23:12:17 -0000

On Apr 20, 2014, at 12:43 PM, Hector Santos <> wrote:

> On 4/20/2014 2:25 PM, Douglas Otis wrote:
>> That said, DMARC was never intended to address needs beyond the
>> narrow scope of high value transactional email.
> And unfortunately, this attitude was always wrong. Hate to say, but "I told you so."   What the design attitude says is this:
>    If the domain is high value, then only applied policy.
>    For all others, ignore it.

Dear Hector,

You missed an important term, "transactional". Transactional email is normally NOT relayed through things like mailing-lists for example.

"high value" are messages likely to invoke responses which in turn invites a high level of phishing.  In such limited scenarios, DMARC makes very good sense.

> Rather than try to honor policy to keep the security high, we are looking for ways to circumvent it.  Ignoring Policy no longer works.

Locking the From header field to a specific source for general user mail clearly does not work and those asserting DMARC policy should know better.  If this continues, at some point many will ignore DMARC when it costs more than it is worth.  I too think we can do better, but the senders should be expected to do the heavy lifting.  Only they know which third-party services their users send messages. The TPA strategy is based on the premise third-party paths can be quickly verified by the recipients without a steep user learning curve.  TPA also creates little impact on how email is normally handled. 

Email security should be structured to support a federated service and not depend on peer to peer communications. 

Douglas otis