On 4/25/2014 2:16 AM, Vlatko Salaj wrote:
On Thursday, April 24, 2014 8:20 PM, Hector Santos <[email protected]> wrote:
Take a look at the 2006 DSAP I-D proposed author domain policy
protocol which provided tags to covered the complete 1st vs 3rd party
boundary conditions for DKIM signing practices:
seems reasonable.
but, believe me, there's no need to persuade me that we need 3rd party
alignment support in DMARC. i don't rly care about how it's done...
if it works fine and serves a purpose, great.
Same here.
however, it seems we will have a terrible time persuading some
people here. they seems content with breaking email for the sake of
"providing security".
Its a different view to consider it that way. Others will suggest, as
myself, that is a by-design feature. But the problem is that we
failed to provide the flexible options to be backward compatible in
some way. Yahoo could of easily solved this b:
1) First use p=quarantine
2) Then use a user UI option to "confirm" with the user if the
signer is ok,
thus "learn" from its user base what should be "whitelisted."
Its not like they lack the Mail Business data Intelligence (MBI).
They always had the info from previous imported list messages that the
domain and list-id was acceptable by the user and not marked as spam.
In fact, we have this feature in our ANTI-SPAM system:
If the user writes to a person, that person now becomes
auto-whitelisted.
Trust me, this was a MAJOR SUPPORT g-dsend! Resolved all sorts of
first time blocking issues with customer support over a phone call,
"hey, let me send you a permission list. Use this address to reply back."
But from a purity standpoint, the policy needs to be honored first,
otherwise, all we have done is create even more loopholes to be exploited.
ps. i do love how these big ESPs think that today's 90% of their email
stream passing DMARC, comprising of mostly fb notifications ppl don't really
care about or read, is enough of a reason to break rest of email stream,
ppl actually care about, read and expect delivered without an issue.
Its all hype. They don't represent or have a clue for the MBI going on
with all the million of email domain private mail operations combined
-- WORLD WIDE. Its all marketing bull.
But what is a fact is that if you are an aged domain, most likely, it
is very spam polluted. So I agree with their strategy to finally begin
to clean it the domain and enhance its security value. No doubt, in my
mind, this is a major plus for all aged, spam polluted domains,
including our own.
The highest benefit in the SPF or DKIM author domain protocols comes
form SELF-REGULATING your own domains, in other words, when main comes
into your own SMTP system purporting to be coming from your own
network of domains, you have the #1 highest spoof protection possible.
After first protecting your own domains (which is what Yahoo is
doing), you can decide if you also want to protect other REMOTE
DOMAINS coming into your systems.
Do you do it as a favor? Or do you do it to protect your system and/or
your users?
It was the latter consideration that became a major overhead and
redundancy in attempting to check all domains coming in. It was
considered to be a short term concern. Over the long term, the hope
was the efficacy/efficiency/payoff would be improved as more and more
domains published policies. I have to check where we are with this,
i.e. how much of your incoming clients transaction have SPF and/or
DKIM records, but no doubt, it has become significant. See your 11
years of ANTI-SPAM rejection history and statistics that shows how SPF
was a near 0% and now is about mere 1.8% (as of april, 2014). But I
remember it took quite a few years to get event that high:
http://www.winserver.com/SpamStats
I stopped at DMARC because I got sick of the IETF baloney with ADSP,
but I explored all the ideas:
Even if 100% of the domain published policies, it was always my
concern that it would be a major waste if most policies were relaxed,
i.e. policy does not say to reject/discard.
So in my opinion, any SPF policy with a relaxed neutral was a BIG
WASTE OF LOOKUP and processing time. Same with DKIM relaxed signing
practices.
So how do you handle this huge waste?
Again, you have to accept the hard failures with the soft and relaxed
failures, and with the hard, you honor it otherwise you just made it
worst as a relaxed result.
This was where the heuristic designs can play a role where it uses a
combine set of non-deterministic, in between false and true, "fuzzy"
logics or even combine it with user input to get some payoff from it.
But to constantly process a RELAXED SPF, ADSP or even now DMARC
policy is a huge waste and major overhead. That said, I think we did
accept these higher overhead modes of operations. I guess people like
what DMARC offers with REPORTING, but eventually even reporting
becomes a redundant and wasteful operation.
--
HLS
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
