Richard Damon writes: > On 5/25/14, 11:30 AM, Mark Rousell wrote: > > Whilst Yahoo and AOL are the ones who have chosen to > > use/misuse/abuse DMARC in this way, it could also be said that > > DMARC (and all its backers on its current form) are to blame > > precisely because DMARC *allows* Yahoo's/AOL's behaviour.
The "p=reject" policy option is useful, perhaps necessary, to prevent phishing at financial institutions. My bank (Tokyo-Mitsubishi-UFJ) is in a total panic to the point where they are running a major television campaign (multiple channels, hitting all the major demographics) displaying a typical MUA (Outlook, of course) showing a typical phishing message and putting a big red X over the password input field. > > If the standard has been properly finished and properly thought > > through from all angles then ways could surely have been found to > > allow it to be used without harming existing, standards-compliant > > behaviour. DMARC's purely informational protocols have been in use successfully for years, and nobody ever noticed. Some banks have been using "p=reject" for quite a long time (more than a year), and nobody ever noticed. > > The consortium behind DMARC simply weren't willing to wait or > > play along. I don't think the evidence supports that belief. The design of the protocol has been very careful, with multiple ways to mitigate the kind of effects we saw in April. Yahoo! and AOL simply don't care who gets hurt as long as they can present it to their own users as a necessary measure to combat spam (and other mail abuse). > My understanding is that DMARC WAS going through the standardization > process, and actually was to the state where experimental use was > justified (and in some sense actually required). The problem that > happened is that Yahoo jumped into the limited clinical trial and > experimented with millions before we had a chance to find out the side > effects of the medicine. According to one of the editors of the Internet Draft (message to a closed list), use by ESPs of "p=reject" was never envisioned by the working group, and he believed (until it actually happened) that Yahoo! and AOL knew that because they have active representatives in the group. I'm not sure I really believe that, since one of the DMARC proponents on Mailman channels clearly believes that any problems are the fault of misconfigured lists, and one of the editors of the DMARC Internet Draft has a Yahoo! affiliation listed. > I suppose that the communities response should have been to just kick > off all Yahoo (and later AOL) users from mailing list (as that is really > one meaning of the DMARC setting announced), but the community had too > much compassion for the "innocent" users In many cases, there's no "compassion" involved, just a hard-headed business calculation about whether the list can afford to offend the paying customers. In any case, it's pretty clear that > a lot of innocent users ... really don't want to go through the > hassle of changing email providers, and are more apt to just drop > off mailing lists. which both AOL and Yahoo! would find convenient for their own busienss models. (I don't think that's their aim, I just don't think they'll shed any tears as long as their spin control is successful.) So I certainly don't recommend it if you don't have substantial and unshakably legitimate influence over your subscribers. *I* can and do play hardball, and (as mentioned in a previous post) the fiasco at yahoo.com triggered a reaction in the Japanese research and education communities (including an official advisory from the Ministry of Education, Culture, Science and Technology), so that students and to some extent faculty and researcher have switched to GMail en masse -- entirely unnecessary since yahoo.co.jp doesn't seem to publish a DMARC policy at all! But my situation is very unusual. Steve ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org