Re: DMARC and yahoo

[ned+ietf@mauve.mrochek.com]

John Klensin writes:

> --On Monday, 21 April, 2014 08:26 +1200 Brian E Carpenter
> <brian.e.carpenter@gmail.com> wrote:

> >> IMO, this is quite elegant.  The Yahoo users continue to get
> >> the messages, you don't get cluttered by rejection-related
> >> complaints, and those Yahoo users who don't like the digest
> >> form can take it up with Yahoo or find other accounts to use.
> >
> > Unfortunately they can switch themselves back to normal mode
> > too. Digest mode is user-settable, and is very annoying because
> > it munges the Subject header. What's really needed is a
> > DMARC-safe mode (per subscriber) that optionally rewrites the
> > From.

As others have pointed out, the only way digest mode solves the problem at hand
is if you force it on every message *from* a domain with a p=reject
policy regardless of recipient.

> Brian, I think there are several ways to look at this and that
> there are some largely separable issues.  One of them, perhaps
> unreasonable and perhaps not, is that DMARC was developed by a
> collection of organizations who have a shared vision of how
> email should work, what is important, and what isn't.  Yahoo is
> a supporter/participant in that group, as are several people
> with sufficient IETF history and leadership roles to be
> knowledgeable about how to facilitate getting a document through
> the system.

> I think that raises some issues for the IETF and RFC Editor
> about how specifications developed entirely in other bodies --
> traditionally, a category known as "specifications developed
> elsewhere and republished for the convenience of the Internet
> community" -- should be handled.   While it no longer applies in
> the DMARC case, there are also some issues associated with
> moving stable specifications developed elsewhere through the
> IETF Standards Track (whether one calls that "fast track",
> "rubber stamp", or something more complementary).   Pete has
> mentioned that the IETF is looking at some of the issues
> involved; I hope the ISE, and RFC Editor Function more
> generally, are too.

Good point.

> As far as the mailman hack is concerned, I think there are two
> different relevant audiences/ affected communities:

> (i) Receivers who happen to have addresses associated with DMARC
> supporters, such as Yahoo, that have adopted a
> highly-restrictive policy.  Forcing them into Digest mode, and
> warning them that, if they turn it off, they are unlikely to
> receive any more list mail and will likely be dropped from the
> list seems to be to be appropriate.  It was with that audience
> in mind that I claimed that Jeffrey's action was elegant.  I
> still think so, YMMD.

It's not receivers who have implemented restrictive policies, it's any
receiver who implements DMARC and follows its recommendations for
other domains that implement such policies.

Good luck on determining who those are. As such, enabling conventional
digest mode for some subset of recipients doesn't solve anything.

> (ii) Senders who have chosen to send messages from mail
> providers who have adopted restrictive, DMARC-based, policies.
> From my point of view, those providers have made a decision that
> they aren't interested in having their mail users post messages
> to mailing lists.  If a mail providers wants to effectively
> restrict the types of mail their users can send, I think we have
> to defend their right to do that.

That really depends on whether or not they make that policy clear to people
signing up for their service. Has Yahoo done this?

> It is also reasonable to hope
> that users who think those services are useful will go elsewhere
> and for mailing list managers to protect themselves by denying
> posting privileges to such users or remove them from lists.

That's assuming they understand what's causing the issue and have the technical
acumen to make an account switch.

> I think it would be a great deal more ethical and professional if
> those providers took responsibility for that decision with an
> explicit announcement to their users, but that is really not an
> IETF problem.

It becomes one when they can point to an IETF document and say, "Nothing in
here comes right now and says what we're doing is wrong."

> As to your "DMARC-safe mode", I'm inclined to assume that Yahoo
> knew exactly what would happen if they made this move.

I'm not. There are far too many examples of organizations engaging in
groupthink and proceeeding down what turns out to be a distasterous path that
winds up costing them major $$$. (Watch "Waterworld" some time.)

Mind you, I'm not saying that this is what has happened at Yahoo. Rather, I'm
saying that absent convincing evidence to the contrary - and the one PR
statement I'm familiar with doesn't even come close to meeting that burden - we
should not make such assumptions.

I also note that other domains that operate in what I'll call "mixed use" (that
is, they're used to send out both personal and business transactional mail,
each of which call for a different DMARC profile) have addressed this issue
through the use of subdomains. For example, Paypal seems to use paypal.com
(with a p=reject DMARC record) for business transaction messages and
e.paypal.com (DKIM but no DMARC record) for everything else. ("e" for email?)

Of course implementing such a scheme on top of existing mixed use allocations
is unpalatable, to say the least. (Unless you were to begin preparing back when
the issues with mixed use domains became clear.) Or it may be that e.yahoo.com
is too close to yahoo.com (but yahoo.e.com presumably is not). Whatever. My
point is that there other alternatives to a blanket p=reject policy choice.

> To believe otherwise raises significant questions about the quality
> of development and review of the DMARC spec and hence whether
> the IETF or ISE should publish it in any form, at least in the
> absence of a rebuttal or public review and commentary.

I'm afraid I interpret several comments made on this list as asking - and some
answering - those questions already.

But the real question is how do we proceed. If publication of DMARC proceeds
as-is I think a "DMARC Considered Harmful" document is the least unpalatable
outcome. Beyond that things get very ugly indeed.

> The belief that it was intentional is also reinforced by the
> observation that this problem has now been known for quite a
> while (in Internet time) and Yahoo has not chosen to modify
> their preferences to some other option.  Given that, I think we
> should be very cautious about recommending a technique to
> subvert their intentions: such actions have too much history of
> leading to counter-actions that have even worse effects.

Sorry, I'm afraid I disagree. In fact I think it's exactly the opposite.
At a minimum we need to:

(0) Document that the choice of a p=reject is inapproriate for anything
    but a domain devoted to business transaction email and fully describe the
    consequences of using such a policy on other sorts of domains.
(1) Document alternatives to labeling your mixed mode domain with p=reject.
(2) Describe the various mitigation strategies - and their consequences - for
    agents dealing with poor DMARC policy choices, including but not limited to
    advice to MLMs.

And let's keep in mind that this is far more than a simple game of tit-for-tat.
For one thing, DMARC is utterly dependent not only on the willingness of
senders to set up policies, but also on receivers to enforce those policies.
That alone places huge constraints on what is possible.

And for another, by abdicating our responsibilities to do (2), we not only lose
the opportunity to help MLMs choose the best option for their situation, we
also lose the opporunity to explain the consequences of poor choices on their
part. 

				Ned