> It is Yahoo (and AOL's problem) I understand the frustration people feel with respect to this. Yahoo and AOL had problems with users getting spoofed, so they made a change which helped them but caused others to experience disruption even though they were doing everything right.
But I think we need to move beyond the idea that this is someone else's problem. As people who all participate this list, we all have, at a minimum, interest in seeing email authenticate and a reduction in phishing. Furthermore, as an industry, we have a lot of Best Practices for good behavior but little to no penalties for not following them. Thus, because of the fragmented nature of email security, I would argue that this is an inevitable outcome of the way things are (were), and that we all have a collective interest in solving it. This makes it a common problem, not one localized to AOL or Yahoo. After all, wouldn't it be great if even users with normal mailboxes at ISPs could align with DMARC p=reject *and* simultaneously participate in mailing lists? There's work to do, so let's figure out a way to solve it. --Terry ________________________________________ From: dmarc-discuss <[email protected]> on behalf of Larry Finch <[email protected]> Sent: Friday, May 02, 2014 5:16:40 PM To: [email protected] Subject: Re: [dmarc-discuss] DMARC woes - forwarding signed / encrypted e-mail On May 2, 2014, at 6:28 PM, Terry Zink <[email protected]> wrote: > > Given that large email providers like Yahoo and AOL do publish p=reject > records, how is the rest of the email community going to deal mailing lists > and other legitimate cases that fail DMARC? It's not enough to say "Yahoo and > AOL shouldn't be doing it." That ship has sailed. The question now is what > can we do to improve user experience? Several answers have been proposed: > > 1. Do nothing and let domains that publish p=reject live with the consequences > 2. Don't permit domains with p=reject onto mailing lists > 3. Mailing lists should reformat the message to prevent DMARC failures > 4. Email receivers should be selective about how they enforce p=reject - send > it to Junk or even skip enforcing it from known good emailing lists > 5. Extend DMARC so that it supports mailing lists > 6. Something else? > > These each have their pros and cons but it seems to me that working to > support p=reject with mailing lists is a net benefit to everyone. > I find 3 totally unacceptable. It is Yahoo (and AOL)’s problem. They have pushed the expense and time of solving the phishing problem THEY created off onto ME as a listserv site manager. Other ISPs (even free ones) do not have a phishing problem. I’ve never gotten a phishing email from a gmail account. So there ARE solutions to the problem that do not break 30,000 list servers (using Yahoo’s numbers - I believe it is much higher). The cost is not inconsiderable. We have a stable listserv license, but have dropped maintenance. L-Soft HAS a fix of sorts, munging the FROM field, but it is only available for those on maintenance and those who upgrade to the current version. We operate a co-op server supporting not-for-profit organizations. Our annual operating budget is under $1,000. To upgrade to the latest version of listserv would cost us $10,000. The alternative is to switch to mailman. Once it has a viable solution (there are a few proposed solutions, none perfect, and none out of beta). This would require weeks of work by our volunteer staff to migrate and test all of our lists. Yahoo isn’t going to pay our costs to upgrade listserv, and isn’t going to pay for our volunteer’s time. Our current solution is to move all Yahoo and AOL list members to Moderated. When they post we ask them to switch to another ISP. Temporarily we will manually repost their messages. So essentially we have chosen 2. 4 would be appropriate; it is what Gmail, Verizon and a few others do. 5 would be ideal. the real problem is that too many ISPs do take p=reject as gospel: AT&T, SBCGlobal, Comcast, Hotmail, Rogers, AOL, Yahoo and any that piggy-back on these. best regards, Larry Site manager, HMSSurprise.org/portadmiral.org -- Larry Finch [email protected] _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html) _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
