Re: DMARC from the perspective of the listadmin of a bunch of SMALL community lists

Miles Fidelman <> Mon, 14 April 2014 19:15 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 7DE9D1A063F for <>; Mon, 14 Apr 2014 12:15:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.018
X-Spam-Level: *
X-Spam-Status: No, score=1.018 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, MISSING_HEADERS=1.021, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kN1fmy2Q73W7 for <>; Mon, 14 Apr 2014 12:15:09 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id BE0DC1A04A1 for <>; Mon, 14 Apr 2014 12:15:09 -0700 (PDT)
Received: from localhost (localhost.localdomain []) by (Postfix) with ESMTP id ECED3CC0BF for <>; Mon, 14 Apr 2014 15:15:06 -0400 (EDT)
X-Virus-Scanned: by amavisd-new-2.6.2 (20081215) (Debian) at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with LMTP id F0BLhzLFUONu for <>; Mon, 14 Apr 2014 15:15:02 -0400 (EDT)
Received: from new-host.home ( []) by (Postfix) with ESMTPSA id 85312CC0BE for <>; Mon, 14 Apr 2014 15:15:02 -0400 (EDT)
Message-ID: <>
Date: Mon, 14 Apr 2014 15:15:02 -0400
From: Miles Fidelman <>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:28.0) Gecko/20100101 Firefox/28.0 SeaMonkey/2.25
MIME-Version: 1.0
CC: " Disgust" <>
Subject: Re: DMARC from the perspective of the listadmin of a bunch of SMALL community lists
References: <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 14 Apr 2014 19:15:13 -0000

Warren Kumari wrote:
> On Sat, Apr 12, 2014 at 4:30 PM, Dave Crocker <> wrote:
>> On 4/12/2014 12:56 PM, Miles Fidelman wrote:
>>> - defines the "DMARC Base Specification" with a link to
>>> - an IETF
>>> document
>> While the Internet-Draft mechanism is operated by the IETF, it is an open
>> mechanism and issuance through it carries no automatic status, particularly
>> with respect to the IETF.
> It seems that folk often miss this particular point (see the recent
> drama about draft-loreto-httpbis-trusted-proxy20). Pointing at the
> boilerplate, explaining the fact that anyone (with an Internet
> connection and an XML editor) can submit an ID, etc doesn't seem to
> work. I considered pointing at, well, anything by Terrell, but instead
> decided to publish a draft :-P

Well yes, but that's the "fine print."

Who ever reads a 20-page shrink-wrap license - and he jury is still out 
as to when those apply or can be ignored.  And then there's a "warrant 
of merchantability" that vendors can be held to despite all kinds of 
disclaimers buried in a license.

When the organization that coordinated and promulgated DMARC:
- describes their efforts as "their common goal was to develop an 
operational specification to be introduced to the IETF for standardization
- refers to the only defining document as a "Base Specification" and 
links to a document, on the IETF's webserver, with an IETF document number

It's kind of easy for the uninitiated to draw the conclusion that it's a 
standards-track IETF standard.

Then, when Yahoo defends the havoc they've wrought with statements like 
(they) "designed and built something called DMARC 
<>, or Domain-based Message Authentication, 
Reporting and Conformance. Today, 80% of US email user accounts and over 
2B accounts globally can be protected by the DMARC standard." - with a 
pointer to - and from there to an IETF webserver and document 
-- it sure is easy for the general community to draw the conclusion 
"Yahoo implemented a vetted IETF standard - and it broke all the mailing 
lists I'm on."  And it sure is easy for someone to draw the conclusion 
that the fault lies with the broken standard, not with Yahoo.

You have to look hard to figure out who really broke what.  And (IMHO) 
one would not be wrong to draw the conclusion that IETF dropped the ball 
in its role as the Internet standards body - if only in it's relative 
silence (a disclaimer in the fine print does not constitute exercising 
one's professional or institutional responsibilities).

ISO, for example, has processes for complaining about mis-use of their 
standards, and about misrepresentation of being certified against a 
standard.  Perhaps it's time for IETF to institute similar policies and 
proceedures - beyond:
"it's not actually a standard - we just provided space for the document"
"it's a voluntary standard, we're not responsible if it's not 
implemented properly, or not deployed properly"

We all claim that we don't want governments to run the Internet - but 
when our voluntary, cooperative mechanisms drop the ball - that's the 
end result.  (Along with lots of litigation.)

Just one man's opinion, of course.

Miles Fidelman

In theory, there is no difference between theory and practice.
In practice, there is.   .... Yogi Berra