Re: DMARC: perspectives from a listadmin of large open-source lists

ned+ietf@mauve.mrochek.com Tue, 08 April 2014 17:07 UTC

Return-Path: <ned+ietf@mauve.mrochek.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF71B1A049A for <ietf@ietfa.amsl.com>; Tue, 8 Apr 2014 10:07:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.526
X-Spam-Level:
X-Spam-Status: No, score=0.526 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RP_MATCHES_RCVD=-0.272, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j8YqLVbcO-hP for <ietf@ietfa.amsl.com>; Tue, 8 Apr 2014 10:07:33 -0700 (PDT)
Received: from mauve.mrochek.com (mauve.mrochek.com [66.59.230.40]) by ietfa.amsl.com (Postfix) with ESMTP id CE0691A03C4 for <ietf@ietf.org>; Tue, 8 Apr 2014 10:07:33 -0700 (PDT)
Received: from dkim-sign.mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01P6EEISF9MO005173@mauve.mrochek.com> for ietf@ietf.org; Tue, 8 Apr 2014 10:02:33 -0700 (PDT)
MIME-version: 1.0
Content-type: TEXT/PLAIN; CHARSET=iso-8859-1
Received: from mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01P6A66V86WW00004W@mauve.mrochek.com> (original mail from NED@mauve.mrochek.com) for ietf@ietf.org; Tue, 8 Apr 2014 10:02:26 -0700 (PDT)
From: ned+ietf@mauve.mrochek.com
Message-id: <01P6EEIPML6600004W@mauve.mrochek.com>
Date: Tue, 08 Apr 2014 09:52:40 -0700 (PDT)
Subject: Re: DMARC: perspectives from a listadmin of large open-source lists
In-reply-to: "Your message dated Tue, 08 Apr 2014 00:21:46 -0400" <alpine.BSF.2.00.1404072357400.73388@joyce.lan>
References: <robbat2-20140408T031810-279861577Z@orbis-terrarum.net> <alpine.BSF.2.00.1404072357400.73388@joyce.lan>
To: John R Levine <johnl@taugh.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/bAyz5rNpjkrpLjOgo8kfrHWlMGw
Cc: IETF general list <ietf@ietf.org>, "Robin H. Johnson" <robbat2@gentoo.org>, zwicky@yahoo-inc.com
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Apr 2014 17:07:36 -0000

> > The problem described WILL vanish when all mailing list apps implement
> > DMARC, but until then, it's really broken.

> Mailing list apps can't "implement DMARC" other than by getting rid of
> every feature that makes lists more functional than simple forwarders.
> Given that we haven't done so for any of the previous FUSSPs that didn't
> contemplate mailing lists, because those features are useful to our users,
> it seems unlikely we'll do so now.

Actually, mailing lists *can* implement DMARC, just not that way: Do a DMARC
check on all incoming messages, and if the domain policy is one that is
incompatible with the list's own policies - whatever they are - either change
the list's policies to conform to that message or reject it outright,
preferably with a nasty "find another a better mail provider" sort of message.

If the IETF wants to take a leadership position in regards to this issue,
perhaps someone could set this up.

> If receivers want to implement DMARC policy, they need to make their false
> alarm whitelist first.  This appears to be a substantial, perhaps
> insurmountable, hurdle.

> > At the same time, delaying mass usage of the reject policy would limit
> > damage.

> Reject policy is fine for domains that don't have individual human users,
> or for companies with firm staff policies that all mail goes through the
> company mail server, and employees don't join mailing lists and the like
> using company addresses, or the company provides a separate less strictly
> managed domain for its staff mail. Strict policies will never be
> appropriate for public webmail systems where the users will use their mail
> addresses any way one can use a mail address.  Yahoo appears to understand
> most of this, viz. the different domain for Elizabeth's company mail.

Which is why support for such policies is even in the specification. The
problem is there's no way to stop inappropriate use of such politicies in
advance of it happening. The best you can do is apply the clue-by-four later.

				Ned