RE: DMARC and yahoo

"MH Michael Hammer (5304)" <> Wed, 16 April 2014 17:03 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 2D8091A023D for <>; Wed, 16 Apr 2014 10:03:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_16=0.6, J_CHICKENPOX_21=0.6, J_CHICKENPOX_51=0.6] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AIQaR9_xeH3J for <>; Wed, 16 Apr 2014 10:03:28 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 2CB811A0222 for <>; Wed, 16 Apr 2014 10:03:24 -0700 (PDT)
Received: from ([fe80::f5de:4c30:bc26:d70a]) by ([::1]) with mapi id 14.03.0158.001; Wed, 16 Apr 2014 13:03:20 -0400
From: "MH Michael Hammer (5304)" <>
To: Theodore Ts'o <>
Subject: RE: DMARC and yahoo
Thread-Topic: DMARC and yahoo
Thread-Index: AQHPWQudFl3OBUlCUUiD6pJYurib+psTtYSAgAARHwCAAINKAP//8RtAgABtPID//78FsA==
Date: Wed, 16 Apr 2014 17:03:19 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "" <>
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 16 Apr 2014 17:03:29 -0000

> -----Original Message-----
> From: Theodore Ts'o []
> Sent: Wednesday, April 16, 2014 11:51 AM
> To: MH Michael Hammer (5304)
> Cc:
> Subject: Re: DMARC and yahoo
> On Wed, Apr 16, 2014 at 02:07:39PM +0000, MH Michael Hammer (5304)
> wrote:
> >
> >
> > Instead of "But had" substitute "When does..."
> You are asserting that gmail will eventually do what Yahoo has done.

I am asserting that if, as an organization, Google (or any other mailbox provider for that matter) perceives that p=reject is working for other providers of a similar nature to mitigate abuse then yes, they will, even recognizing potential negative consequences in some areas as long as they believe that the benefits outweigh the consequences. It may be that no other mailbox provider chooses to make such a move.  I'm also saying that mailbox providers which validate DMARC have the data to see what the impacts are - both on abuse as well as broken mail through mailing lists and other sources. This is especially true for large providers that have the resources to do the analysis.

> I can't speak for my employer, but I suspect there will be a lot of people
> (both inside and outside of the company) lobbying to make sure gmail
> doesn't do the same insane thing that Yahoo has done.  I have quite a bit of
> faith that senior folks like Vint Cerf will take a bit more of a nuanced view
> than some of the DMARC cheerleaders have done, and his voice does carry a
> fair amount of weight.

As I've said before, my ox isn't gored on the mailing list issue. Each mailbox provider will make a calculus as to which way to jump. This calculus will change over time for each mailbox provider depending on a number of factors and the perceived outcomes for the organization and its customers. Let's assume that Google chooses not to follow Yahoo but a number of other large providers do. You still have a similar outcome. I'm not presenting this as cheerleading for DMARC. I'm presenting this as a real situation and other mailbox providers, both large and small, may choose to go this direction. I haven't heard any of the denizens of this list present any approach as to how they will deal with such a sea change. 

As von Moltke the Elder wrote, "no plan of operations extends with any certainty beyond the first contact with the main hostile force".

Setting aside your personal preference as to outcomes, I'd love to hear your thoughts on how IETF and/or mailing list operators would deal with such a situation (some significant portion of mailbox providers/users migrated to this new paradigm) should it occur. 

> Cheers,
> 						- Ted
> P.S.  One of the reasons why I think mailing list software should pick
> mechanisms that inflict pain on customers, and hopefully get
> them to switch, is that hopefully other e-mail providers will consider the
> costs of using DMARC p=reject for domains where users might need to send
> mail to mailing list, and choose differently from Yahoo.

That is certainly a plan but it doesn't work so well if it becomes Yahoo+n. My wife and I have discussed this issue and our personal decision is that if our alma maters, charitable organizations that we contribute to, etc. undertake this tactic to intentionally inflict pain on us if our mailbox provider (neither of us happens to use Yahoo) should go this route, we will simply choose other places to give our support and donations. This is not a function of the DMARC debate itself but is instead a function of an organization biting the hand that feeds them to intentionally inflict pain to gain leverage over a 3rd party. For some organizations, while our donations are not critical, they are significant enough to get senior management attention if withheld with an explanation of why we have made that choice.