Re: What I've been wondering about the DMARC problem

Hector Santos <hsantos@isdg.net> Tue, 15 April 2014 17:39 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A4CF1A0376 for <ietf@ietfa.amsl.com>; Tue, 15 Apr 2014 10:39:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -98.438
X-Spam-Level:
X-Spam-Status: No, score=-98.438 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A5q3EnhHxWdD for <ietf@ietfa.amsl.com>; Tue, 15 Apr 2014 10:39:00 -0700 (PDT)
Received: from mail.winserver.com (ftp.catinthebox.net [208.247.131.9]) by ietfa.amsl.com (Postfix) with ESMTP id 97AF91A0366 for <ietf@ietf.org>; Tue, 15 Apr 2014 10:39:00 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=2786; t=1397583535; h=Received:Received: Received:Received:Message-ID:Date:From:Organization:To:Subject: List-ID; bh=w5lwpf+PjVlj/QfBHhL2IzrUJY4=; b=dA7QcHNSt+E0swrY+QDR M4EOgXa6TFgq8PaB9CNuEAbW15Lq446j35cUAtLawwO/azs+P6SxUkUZ4ZgoFBtb eDk3DVqd23mzvlevyLSWcuJ/hSykybNlkvkPDXD1brGnVEtZy343byClvZimLt4L G8RLeiJeuqBx0nC49tZ4HtI=
Received: by winserver.com (Wildcat! SMTP Router v7.0.454.4) for ietf@ietf.org; Tue, 15 Apr 2014 13:38:55 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=pass policy=all author.d=isdg.net asl.d=beta.winserver.com;
Received: from beta.winserver.com (hector.wildcatblog.com [208.247.131.23]) by winserver.com (Wildcat! SMTP v7.0.454.4) with ESMTP id 692112101.3.3336; Tue, 15 Apr 2014 13:38:54 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=2786; t=1397583466; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=kqupiUq axZKk8AP0WWH8dL/N+uUdeya1cNV/Rcpc+xc=; b=iRTcHPWPweZ3j1Xcjv/nEeg h6f9kdu9tq9BIik1nCptXSo/g+gPnLxohe70Fo7a03GgRNJuCwaPnoeqcXkrLBlv GEQ+m5YgSWeIi91TvWPR6RmXyJKQFJZyZcPRNtA0jRUtT6oB6k9Fkp4vrtKl76lS iX3H7Xou+1H6GTo5D3lw=
Received: by beta.winserver.com (Wildcat! SMTP Router v7.0.454.4) for ietf@ietf.org; Tue, 15 Apr 2014 13:37:46 -0400
Received: from [192.168.1.2] ([99.121.4.27]) by beta.winserver.com (Wildcat! SMTP v7.0.454.4) with ESMTP id 711641703.9.9980; Tue, 15 Apr 2014 13:37:44 -0400
Message-ID: <534D6EAA.7010100@isdg.net>
Date: Tue, 15 Apr 2014 13:38:50 -0400
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: dcrocker@bbiw.net, Brian E Carpenter <brian.e.carpenter@gmail.com>, IETF Discussion <ietf@ietf.org>
Subject: Re: What I've been wondering about the DMARC problem
References: <53499A5E.9020805@meetinghouse.net> <5349A261.9040500@dcrocker.net> <5349AE35.2000908@meetinghouse.net> <5349BCDA.7080701@gmail.com> <01P6L9JZF5SC00004W@mauve.mrochek.com> <CAKW6Ri5f5KZyJeL7RTG2T000Qd+t61KCofNmG2JZv+nKi94Uug@mail.gmail.com> <534C0078.3070808@meetinghouse.net> <CAKW6Ri6OUmxGaBOGR2hoWpDOGWsVQ9tQ2Q9ogkT5wzFhFJLBbQ@mail.gmail.com> <534C2262.1070507@meetinghouse.net> <CAL0qLwb5p_V3i-NGhKJZBeO0qKHm1xiAq1E3nYkBzVUAXkRPpQ@mail.gmail.com> <CAKW6Ri5HWMaGMa_oLKwq5fzSUzJG=jAL1qojY1i6_tibEAxq8w@mail.gmail.com> <CAL0qLwaik1ft+AcACoc+kvKtCRt_gGvM6ov7c2yj_Uwyy3drNw@mail.gmail.com> <CAKW6Ri5_=GyOQijZMM+mqAoaEQzePGysBy9WVjN9yHO1zf3d2w@mail.gmail.com> <534C8F2B.9060903@gmail.com> <534D5516.7060902@dcrocker.net>
In-Reply-To: <534D5516.7060902@dcrocker.net>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/aR_5nMEaLxclkJ4IubqR7CGT8as
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Apr 2014 17:39:05 -0000

On 4/15/2014 11:49 AM, Dave Crocker wrote:
> On 4/14/2014 6:45 PM, Brian E Carpenter wrote:
>> I thought that standard operating procedure in the IT industry
>> was: if you roll something out and it causes serious breakage to
>> some of your users, you roll it back as soon as possible.
>>
>> Why hasn't Yahoo rolled back its 'reject' policy by now?
>
>
> As the most-recent public statement from Yahoo, this might have some
> tidbits in it that are relevant to your question:
>
>
>
> http://yahoo.tumblr.com/post/82426971544/an-update-on-our-dmarc-policy-to-protect-our-users

Thanks for the link.

Yes, it does provide some insight, but it would be nice if YAHOO made 
an official statement to provide vendors with planning decisions.

This is GOOD NEWS.

What it means that POLICY has won. I believe a policy-based DKIM 
framework is best and I invested in ADSP and its extensions.   Many 
never believed in ADSP or policy based protocols but you have changed 
your position and now promote DMARC as the way to go.  Thats great Dave.

But as I have been saying and largely ignored, it didn't still solve 
the problem unless the MLM supported the handling of restricted 
policies as well -- gracefully.  It doesn't matter if its ADSP or DMARC.

Yahoo has FORCE the issue so in that way, I am happy.

What it means is that I will now begin exploring DMARC implementation 
into our already laid out DKIM framework using ADSP.  Maybe we can 
finally get some payoff and value from all this DKIM work after all!!

I have to note the yahoo.com impact on our system was low. The few 
yahoo.com accounts in our support list was down to four and this was 
going on since January with no complaints.  But the fact, Yahoo hasn't 
roll back or relaxed its policy in over 4 months, DMARC is probably 
here to stay now!!

As the Jeff says:

    "With stricter DMARC policies, users are safer, and the
     bad guys will be in a tough spot. More importantly,
     verified senders will unlock a massive wave of innovation
     and advancement for all our inboxes."

Its time for the IETF to support DMARC.  We can do this using DMARC 
Extensions. Maybe Murray can consider writing DMARC extensions like 
ATPS  but using DMARC as the base call.  It should be a minor change 
to the ATPS specs.

I can see additional DMARC extensions for other advancements, but the 
main one is about managing 3rd party authorized domain to satisfy the 
"signing/sent on behalf of" design need that yahoo says is required:

    "Yahoo requires external email service providers, such as
     those who manage distribution lists, to cease using unsigned
     “sent from” mail, and switch to a more accurate “sent on
     behalf of” policy."

What is this so called "more accurate" method?

-- 
HLS