DMARC from the perspective of the listadmin of a bunch of SMALL community lists

Miles Fidelman <> Sat, 12 April 2014 19:56 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id CCF431A022D for <>; Sat, 12 Apr 2014 12:56:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.398
X-Spam-Level: *
X-Spam-Status: No, score=1.398 tagged_above=-999 required=5 tests=[BAYES_50=0.8, J_CHICKENPOX_16=0.6, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id OvAUf1ZVPWsU for <>; Sat, 12 Apr 2014 12:56:21 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 28D151A0227 for <>; Sat, 12 Apr 2014 12:56:21 -0700 (PDT)
Received: from localhost (localhost.localdomain []) by (Postfix) with ESMTP id 0C2CCCC0BE for <>; Sat, 12 Apr 2014 15:56:19 -0400 (EDT)
X-Virus-Scanned: by amavisd-new-2.6.2 (20081215) (Debian) at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with LMTP id Wgxw+D2AbvxW for <>; Sat, 12 Apr 2014 15:56:14 -0400 (EDT)
Received: from new-host.home ( []) by (Postfix) with ESMTPSA id 8DD66CC0B0 for <>; Sat, 12 Apr 2014 15:56:14 -0400 (EDT)
Message-ID: <>
Date: Sat, 12 Apr 2014 15:56:14 -0400
From: Miles Fidelman <>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:28.0) Gecko/20100101 Firefox/28.0 SeaMonkey/2.25
MIME-Version: 1.0
Subject: DMARC from the perspective of the listadmin of a bunch of SMALL community lists
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 12 Apr 2014 19:56:23 -0000


We (really I) support perhaps 2 dozen small email lists, for a bunch of 
community groups (PTOs, churches, neighborhood groups) - mostly the 
legacy of previously running a small hosting firm, and still having the 
machines sitting in a data center.  The kinds of groups with lots of 
non-technical users who have email accounts on Yahoo, hotmail, AOL, 
Comcast, and such.  The lists range in size from tiny (5 person boards 
of directors) to maybe 1000 (high school parents).

Yahoo's implementation of it's new DMARC policy has been an absolute 
disaster.  Kind of messes things up when a few days before tax filings 
are due, and in parallel with the Heartbleed mess, (not to mention the 
work that pays the bills), roughly 1/3 of the addresses on almost all of 
the lists start bouncing mail from yahoo addresses - particularly when 
yahoo's postmaster didn't have a clue what was going on (my initial 
thought was - oh heck, need to get back on their whitelist).  Luckily 
gmail seems not to be honoring the Yahoo's p=reject policy, at least so 
far, or things would be a LOT worse.

Still trying to figure out a reasonable fix for this, as it looks like 
lots of other listmasters are trying to do - and doesn't help that I'm 
running a less common list package (sympa).

Anyway - one of my reactions to this is that something is really broken 
about the process by which DMARC and Yahoo's policy have been foisted on 
the larger Internet community - and in particular IETF's role or lack 
thereof.  Specifically:

- DMARC is an ad-hoc group that assembled with a "common goal was to 
develop an operational specification to be introduced to the IETF for 

- defines the "DMARC Base Specification" with a link to - an IETF 

- the referenced document is an informational  Internet draft, that 
expires in October of this year, that starts with "This memo presents a 
proposal for a scalable mechanism by which a mail sending organization 
can express,.

- It's also being presented as mature - through such publicity 
statements as "DMARC standard now protects almost two-thirds of the 
world's 3.3 billion consumer mailboxes worldwide" 

In essence, DMARC is being represented as a mature, standards-track IETF 
specification - with the implication that it's been widely vetted, and 
is marching through the traditional experimental -> optional -> 
recommended -> mandatory steps that IETF standards go through.

In reality:
- DMARC was developed by a tiny number of people, all of whom work for 
very large ISPs
- as far as I can tell, all input from the broader community - notably 
mailing list developers and operators was roundly ignored or dismissed 
(the transcript is really clear on this)
- while DMARC is at least partially tested, deploying and honoring 
"p=reject" messages is brand new, and has wreaked tremendous damage 
across the net
- as far as I can tell, those who are behind DMARC are taking the 
position "it's not our problem" (see discussions on and - and there is nary a Yahoo 
representative to be seen anywhere

 From an operational perspective, this is akin to a large player 
publishing a corrupt nameserver database or routing update - and then 
actively resting attempts to clean up the mess (which, in effect is what 
Yahoo did by updating their DMARC record to p=reject).

The situation strikes me as incredibly perverse and broken - the more so 
that the perpetrators are presenting this as blessed by the IETF 
standards process.

It strikes me that IETF should weigh in on this in a formal fashion - if 
only to make it very clear that IETF is not responsible for this 
debacle, and perhaps to exert some moral influence on the perpetrators 
to back off and help clean up the mess they've created.

On a broader scope - this sort of points out a really big hole in our 
consensus governance process - when one bad actor can inflict damage 
across the entire Internet, apparently, with impunity.

Miles Fidelman

In theory, there is no difference between theory and practice.
In practice, there is.   .... Yogi Berra