Re: DMARC and ietf.org

Rich Kulawiec <rsk@gsp.org> Mon, 15 August 2016 11:44 UTC

Return-Path: <rsk@gsp.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD47A12B032 for <ietf@ietfa.amsl.com>; Mon, 15 Aug 2016 04:44:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2wiH1Z_uMmB7 for <ietf@ietfa.amsl.com>; Mon, 15 Aug 2016 04:44:10 -0700 (PDT)
Received: from taos.firemountain.net (taos.firemountain.net [207.114.3.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88B2E12B026 for <ietf@ietf.org>; Mon, 15 Aug 2016 04:44:10 -0700 (PDT)
Received: from gsp.org (localhost [127.0.0.1]) by taos.firemountain.net (8.15.1/8.14.9) with SMTP id u7FBi8aD011952 for <ietf@ietf.org>; Mon, 15 Aug 2016 07:44:09 -0400 (EDT)
Date: Mon, 15 Aug 2016 07:44:08 -0400
From: Rich Kulawiec <rsk@gsp.org>
To: ietf@ietf.org
Subject: Re: DMARC and ietf.org
Message-ID: <20160815114408.GA28486@gsp.org>
References: <c87f5578-be42-5a4e-d979-f4166e2f2ef2@gmail.com> <20160813023957.5679.qmail@ary.lan> <CAPt1N1mO0xxfc3SghV1pcNUjOz9yKk-g=bgU+dWrgy2LWcwhBg@mail.gmail.com> <20160813150004.GM10626@thunk.org> <alpine.OSX.2.11.1608131101040.12562@ary.local>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <alpine.OSX.2.11.1608131101040.12562@ary.local>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/fGFZFZb9UGjGjj3Ua2oFrzYqzfQ>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2016 11:44:12 -0000

On Sat, Aug 13, 2016 at 11:10:59AM -0400, John R Levine wrote:
> DMARC was fine when it was used to protect high value company domains like
> paypal.com.  It became much less fine when AOL and Yahoo started using it to
> force the costs of their own security failures on third parties.

Worth noting is that their deployment of DMARC has done *nothing*
to address those security failures and thus *nothing* to stop the
forgeries that were the alleged impetus for the deployment.  In fact,
it's arguably made the impact of those worse because they now arrive
with whatever degree of endorsement DMARC validation provides.

---rsk