Re: What I've been wondering about the DMARC problem

Seth Johnson <> Tue, 15 April 2014 05:30 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 4245F1A075C for <>; Mon, 14 Apr 2014 22:30:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.701
X-Spam-Status: No, score=0.701 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AOeH0yvMM8qv for <>; Mon, 14 Apr 2014 22:30:03 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400c:c03::22b]) by (Postfix) with ESMTP id 282991A0751 for <>; Mon, 14 Apr 2014 22:30:02 -0700 (PDT)
Received: by with SMTP id lg15so8567963vcb.16 for <>; Mon, 14 Apr 2014 22:29:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=KwTz0wIW4dGLtohc2YkSiR2aItKX8yW1T255BDuC+/A=; b=U6m1K06m+7bC46saeMOo+LNPdoyJMu0fufG6HoGXUS2MYeMXBVUhFq2T6Y4fli25Rv ZqYwD8R1r1b/3CB48Y1ltCk6K2VcmrYnNNifKEeqAW+rw6npWzZOUW6FROUhz8LQPbMJ XkgsSACG3Jg9SBJ6lym+smLtGNB3pBMMptBsAGBy1H+xDnWLF8fLK+AyAKWXhcfnTStC 5qETCvINGjNhCq58xS8B8ob8cr2KPe0qOLAeoDWaj/EibZubPqc+oDqFum6P+pNF6fQe M0/J0pOIQ1k/Ky25Y4L4kf0M1BeEP+8UGL5Nbsjtp1La0/k/tSO7+sb/UCF206Oh0h0h TZmQ==
X-Received: by with SMTP id r7mr40448084vcm.11.1397539799231; Mon, 14 Apr 2014 22:29:59 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Mon, 14 Apr 2014 22:29:19 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
From: Seth Johnson <>
Date: Tue, 15 Apr 2014 01:29:19 -0400
Message-ID: <>
Subject: Re: What I've been wondering about the DMARC problem
To: Miles Fidelman <>
Content-Type: multipart/alternative; boundary=047d7b66f5fb4af32e04f70e17a8
Cc: IETF Discussion <>
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 15 Apr 2014 05:30:08 -0000

(one insert/correction inline)

On Tue, Apr 15, 2014 at 1:20 AM, Seth Johnson <>wrote;wrote:

> The framework internationally is different.  Within free countries,
> there's a culture of expectations that certain things will be unacceptable,
> or will be resisted by self-respecting citizens.  That culture is based in
> a system that guards fundamental liberties, and people are able to rely on
> it to do so, though for private firms the limits aren't so definitive as
> they are for the government.
> Internationally, the limits are no longer so definitive, and that's
> because even though governments will sign onto instruments like the UDHR,
> those rights are not actually fundamental, even if we call them that.
> Fundamental rights have an undeniable priority within countries where they
> have been claimed in the founding act.  On that foundation, judges are
> always obliged to assess fundamental rights in light of the unarguable fact
> that their priority over the government was part of the original creation
> of the whole system.  There's no founding act in the international arena
> that sets the priority of people over the governments of the world, so
> rights are actually at the indulgence of governments, and governments can
> always assert their state interests are so important that they warrant
> impinging on fundamental liberties.
> We just saw an example of this with the Snowden disclosures.  We've been
> through a long period where we couldn't get our government to actually do
> much for us, or conversely to not invade our liberties -- because the
> claims that the government was snooping pervasively were kept marginal in
> various ways.


> But once documentation moved those considerations out of the frame of
> "conspiracy" or zealotry by activist organizations, we suddenly began
> seeing the appeals work again: "that's not the kind of country we are, what
> we set up for ourselves," we started saying again.


> And while it's still in a bit of denial, we are seeing a gradual grudging
> retracting -- again, because the basis in fundamental liberties is
> unarguably related to how we set the government up in the founding act(s).
> This is for governments and the more definitive relationship between
> fundamental liberties and the government; that is, that they are limits on
> the government.  The judicial system treats fundamental rights violations
> by the government in terms of "strict scrutiny," which means a governmental
> act that impinges on fundamental liberties must serve a compelling state
> interest, and even then, must be narrowly tailored.  For private parties,
> it's more that the working system creates a culture of people who enjoy
> this ability to live in a system where these limits on the government are
> actually at play -- and that's a context that more easily supports
> attitudes of resistance and pushback from people who see their dignity
> invaded by private firms that do excessive things.
> None of this exists internationally.  The best you can place some faint
> hope in is that national/state interests will be "balanced" against rights
> expressed in a treaty.  That's a totally different standard from strict
> scrutiny.  And relying on even that is unrealistic, because governments
> have the "epistemic priority" -- and so they often, quite freely, simply
> claim their sovereignty and act according to what they claim is an
> important state interest.  They simply have that wherewithal at the
> international level.
> All of which is preface to say that the result is that governments and
> private parties (and corporations, who have concocted trans-state "rights"
> through judges acting to fill in gaps in the law over the years) know the
> rules don't apply the same way in the international arena.
> In fact, given the transitions currently being attempted, whether with the
> IANA functions or "Internet governance" more generally, Yahoo's DMARC
> behavior may really be a sort of dry run, testing the ability to take
> advantage of the moves to put concerns related to the operation of the
> Internet into an international frame, which folks are pushing for without
> really recognizing what's missing in that context, what they have sort of
> unconsciously relied on and taken for granted within systems of checks and
> balances that are rooted solidly at national levels.
> The checks and balances don't work the same internationally, and that
> circumstance can be exploited (and is, all the time, these days).
> People might push back, but they don't really do so with the same sense of
> fundamental recourse assured by a solidly rooted system.  And Yahoo knows
> this.  And we're just shoring that up by saying we can just switch
> multistakeholderism to the international arena.
> (All of this is aside from other factors not generally acknowledged --
> that there are actually inter-governmentally endorsed frames in place that
> will have a bearing on IANA type functions or domain names (Names, Numbers,
> Addresses and Identifiers/NNAI, in the ITU parlance), regardless of the
> fact the IANA transition defines itself as non-governmentally-led or
> inter-governmental.  Looking at this in that light, Yahoo may be forcing
> the creation of a context in which it can start to exercise those
> frameworks.)
> Seth
> On Tue, Apr 15, 2014 at 12:07 AM, Miles Fidelman <
>> wrote:
>> Important business users, with Yahoo accounts?  Is that a joke?
>> Just as a reference point:
>> - I just logged into my long-unused, and un-publicized yahoo email
>> account - and the only thing there is Spam
>> - the lion's share of mail that comes from yahoo, to my normal account,
>> is spam
>> - unfortunately, a good number of people on the email lists that I run
>> seem to have Yahoo mail accounts - and a good amount of the mail that comes
>> from those accounts is... you guessed it... spam - because yahoo email
>> accounts seem to be vulnerable to cracking and exploitation
>> So, just who is it that Yahoo is protecting here?
>> Abdussalam Baryun wrote:
>>> The standard procedure in many companies is business scoped, so they
>>> identify important business users and the business returns/damages. Most
>>> important users are not IT experts, and use email for personal exchange.
>>> Yahoo has signed an agreement with users to protect its information system,
>>> so all seem to follow that, and all users are free to stop using services
>>> or not.
>>> AB
>>> On Tuesday, April 15, 2014, Brian E Carpenter wrote:
>>>     I thought that standard operating procedure in the IT industry
>>>     was: if you roll something out and it causes serious breakage to
>>>     some of your users, you roll it back as soon as possible.
>>>     Why hasn't Yahoo rolled back its 'reject' policy by now?
>>>     Regards
>>>        Brian
>> --
>> In theory, there is no difference between theory and practice.
>> In practice, there is.   .... Yogi Berra