Re: [Mailman-Developers] Two more DMARC mitigations
Jim Popovitch writes:
Do you have specific complaints?
Yes. Unless it's not already understood... the original idea behind DMARC centered around non-human transactional emails (Banking notifications, Facebook status updates, etc.).
This was understood, and is why I call what Yahoo! and AOL are doing "abuse".
But what is wrong with the spec itself, besides the potential for abuse?
Elizabeth got involved and the spec was morphed (i say bastardized)
What changed that you object to?
I'm not just nagging, I really want to know. I've been over the spec a couple of times, in a fair amount of detail, and I don't see it. But if there are specific aspects to it that are broken when used as designed, I (and John) may have some input into getting it changed.
Murray Kucherawy (the other author of the current Internet-Draft) and Dave Crocker (who's authored more RFCs than the average bear) seem far more on our side than on Yahoo!'s, and there are a couple of other people who have posted intelligent comments (and of course, the usual complement of Net.Kooks without which no standardization effort is complete). Even Elizabeth seems quite reasonable, modulo her job description.
John and I are somewhat more likely to have input into auxiliary protocols (such as the DKIM-Delegate protocol that John mentioned) which might make Yahoo!'s use of "p=reject" somewhat more palatable.
Steve
On Fri, Jun 13, 2014 at 12:39 AM, Stephen J. Turnbull <stephen@xemacs.org> wrote:
Jim Popovitch writes:
Do you have specific complaints?
Yes. Unless it's not already understood... the original idea behind DMARC centered around non-human transactional emails (Banking notifications, Facebook status updates, etc.).
This was understood, and is why I call what Yahoo! and AOL are doing "abuse".
But what is wrong with the spec itself, besides the potential for abuse?
Elizabeth got involved and the spec was morphed (i say bastardized)
What changed that you object to?
One of the original __High-Level Goals__ was:
DMARC is intended to reduce the success of attackers sending mail pretending to be from a domain they do not control, with minimal changes to existing mail handling at both senders and receivers. It is particularly intended to protect transactional email, as opposed to mail between individuals.
If you go here: https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base/ you can see the early versions of the spec (under "History") contained the word "transactional".
Also notice that the "diff from previous" comparisons, esp between rev02 and rev01, seems to be missing several instances of the word "transactional" (i.e. if the word was removed it should still be visible on the left-hand side of the diff)
-Jim P.
participants (2)
-
Jim Popovitch -
Stephen J. Turnbull