On 6/8/2014 1:26 AM, Al Iverson via dmarc-discuss wrote: > On Sat, Jun 7, 2014 at 12:44 PM, Dave Crocker via dmarc-discuss
>> Keeping in mind that the mailing list scenario has always been >> legitimate use, > > SMTP relay was a legitimate use case (or at least was very loudly > claimed to be by those angry about relay blocking). Sorry, no. Use by unauthorized users is not a legitimate use case. Again, closing relays carried an entirely adequate alternative via port 587 for authorized users. No such equivalence is available when DMARC breaks mailing list use. >> the concern is that we may be left with a long-term >> barrier to that use, with no attendant long-term benefit. > > I think there's a good chance that the barrier melts away in the long > term. Specifically, the mailing list usage barrier. Mailman, Yahoo > Groups, Google Groups, and various commercial providers have already > implemented changes to that end. I feel like a lot of the barrier has > melted away already. You seem to be confusing "work-around" with "equivalent function". What we have is increasing use of work-arounds that defeat DMARC and train the community to accept mail the employs the work-around. As such it eliminates long-term benefits of DMARC. The problems with the work-arounds resolve to: Mail 'from' a mailing list now formally has a different author than it used to. All mail is from a single 'author'. This significantly alters the way mailing list mail, versus 'direct' mail, is processed by MUAs and seen by users. >> The fact that there is short-term benefit is not the issue; it is that >> the benefit might not sustain. > > If I can keep my domain out of the from address of bad mail forever, > that's a long term benefit to me. How does that not sustain? An assertion like that focuses on a syntactic point, rather than a semantic one. I'll bet you don't actually care about the From address content, on its own, but that you really care about receivers thinking that mail is from you when it isn't. I know I do. That's the real and higher-level concern. And that's the goal that isn't being served here, in terms of long-term benefit, given the effect of the work-arounds. > The issue of lookalike domains was mentioned. This is an extant > badness vector. It gets addressed through multiple means, as it has > previously. It pops up, it gets a bad reputation, it gets blocked. > Domain rep, IP rep, content rep, can and will all still apply. When used in the narrow scenario of mail that is legitimately subjected to tight content and operations controls, DMARC works quite well. There are many ways to defeat DMARC's efficacy, when the mechanism is used more broadly. The aggregate effect is to marginalize the actual benefits of the mechanism. > To that end, I think anybody who's going to say "there's no long term > benefit" really should only say that when including a more detailed > statement of "why" that would be, because honestly, obviously, DMARC > proponents don't necessarily start from that point of view and I'm > sure I'm not the only one who would need more information to better > understand the concerns. You believe that there haven't been explanations for the 'why' provided??? d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
