Re: DMARC-4-ML: Can the IETF call a demonstration?

John C Klensin <> Wed, 14 May 2014 12:39 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 794F01A0075 for <>; Wed, 14 May 2014 05:39:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.251
X-Spam-Status: No, score=-3.251 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KzRvfFVMM_IQ for <>; Wed, 14 May 2014 05:39:53 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 8E1171A0068 for <>; Wed, 14 May 2014 05:39:53 -0700 (PDT)
Received: from [] ( by with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <>) id 1WkYTD-000JXZ-Dw; Wed, 14 May 2014 08:39:39 -0400
Date: Wed, 14 May 2014 08:39:40 -0400
From: John C Klensin <>
To: Alessandro Vesely <>,
Subject: Re: DMARC-4-ML: Can the IETF call a demonstration?
Message-ID: <>
In-Reply-To: <>
References: <>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-SA-Exim-Scanned: No (on; SAEximRunCond expanded to false
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 14 May 2014 12:39:56 -0000

--On Wednesday, May 14, 2014 13:52 +0200 Alessandro Vesely
<> wrote:

> After some discussion on ietf-822, two viable methods were
> identified for DMARC for mailing lists (ML).  Someone cutely
> suggested to do both:
> *Tweak DKIM signatures*
> *Whitelist*
> Both methods require each domain to build a DB of MLs.  That
> can be done by a "manual process" (see picture) for the time
> being.  The process consists of each ML admin extracting a
> per-domain list of subscribers and sending it to the relevant
> Will the admins go marching in?


At the risk of repeating myself...

(1) I think it is a bad idea for the IETF to be formally
spending effort to work around damage caused by a non-IETF
protocol.   I note that, if this were a protocol that was
specified in the IETF and over which the IETF had change
control, we would be trying to fix the protocol itself or would
withdraw or depreciate it because of the damage caused.  

(2) I believe it is unacceptable for a new protocol or
capability to impose costs on operators of other systems in the
absence of clear and broad consensus about why the changes are
needed and appropriate. That consensus may well exist for DMARC
and its policy statements among the contributors/ supporters of, but it is fairly clear to me that it does not exist
in the IETF.   Contrast that with, e.g., privacy issues about
which there have been consensus statements in the IETF, perhaps
even statements strong enough to justify some additional costs.

(3) Since I mentioned privacy, I should note that developing,
keeping, and maintaining the database you mention could have
significantly more privacy risks than simple recording of
envelope information in server logs.  If IETF is now committed
to privacy as a significant goal, that question needs careful

> Doing nothing will result in a mix of three reactions.  1, ML
> admins changing the From: of domains who publish strict DMARC
> policies;  2, some users changing mailbox provider; and 3,
> less domains publishing strict DMARC policies.  

There are two more options you didn't mention: (4) more systems
either not implementing DMARC or ignoring strict policy
specifications, and (5) driving some users and activity away
from the use of mailing lists entirely in favor of using more
"social network" web sites and activities.  I note that some
people believe that DMARC and strict policies are part of a
business model to force that result.  I don't believe that
personally, but the optics are unfortunate.

> The combined
> effect seems to weaken both DMARC and mailing lists.

So?  Perhaps we should be focusing more on strategies that
weaken DMARC to the degree necessary or appropriate without
weakening mailing lists or imposing added costs on those who
operate or subscribe to them.  

The analogy is obviously not exact, but, if some external group
came up with a protocol that weakened TCP and undermined all of
our congestion control mechanisms, we might be pointing out the
damage and encouraging people to not use that protocol --
perhaps even figuring out ways to block its use -- but would not
be scurrying to alter TCP to better accommodate the behavior of
that new protocol, especially if the alterations made "normal"
use of TCP less efficient or effective.