Re: DMARC: perspectives from a listadmin of large open-source lists

[John C Klensin <john-ietf@jck.com>]

--On Monday, April 14, 2014 00:10 -0400 John R Levine
<johnl@taugh.com> wrote:

>> Sadly, there are a non-trivial number of MTA installations
>> whose implementers or operators, having discovered that they
>> had not seen a legitimate use of the percent hack in years,
>> decided that they were about as likely to appear in
>> legitimate messages as source routing and dealt with them
>> accordingly.  Put more simply, a "%" in a local-part may be
>> least as likely to get a message rejected or dumped as a
>> badly specified DMARC record, so the one is really not a very
>> good cure for the other.
> 
> Since the percent hack became a famous vector for open relay
> abuse, so we all stopped honoring it.  A lot of MTAs still
> reject anything with a % saying something like no more source
> routing.  Mine does.

Exactly.

> So this would require inventing something with the same
> semantics as the percent hack, but a different syntax.
> Perhaps we can use an exclamation point.

I suppose the correct response is "bang, bang, bang,..."

But this takes us back to Ned's point (or at least my
interpretation of it): it is lots easier to fix a bad DMARC
config, ignore restrictive DMARC specifications, or even to
abandon DMARC entirely, than it is to believe that we can
upgrade every MTA and MUA on the network to start accepting
percent hacks, bang paths, or the syntax characters used to
denote them, again.  Or any other strange local-part syntax
anyone is likely to come up with, e.g., perhaps we could use
plus signs, hyphens, or appropriately-escaped backslashes.  Or
we could steal "/" and "=" back from X.400 gateways.  Right.

   john