On May 28, 2014, at 1:13 PM, Tim Draegen <[email protected]> wrote: > On May 28, 2014, at 12:37 PM, John Levine <[email protected]> wrote: >>> Its not clear to me that gmail.com needs to tell another service to trust >>> the OAR from a given third party, the choice to trust that service could >>> easily be up to the receiving service. >> >> Good point. That's why I keep saying that one or a few shared >> DMARC-bypass whitelists would work a lot better than anything >> per-sender. The set of senders where it makes sense to skip DMARC >> checks for Yahoo or AOL or Gmail addresses are likely to be the same. > > Doug, > > I read through the spec, and it is clear a lot of work went into it. I think > I echo Brandon and John's above opinions. > > From my PoV, there exists an immense pile of work to get through before the > draft under discussion becomes a solution. Aside from support, tooling, > getting senders to deploy accurately and getting receivers to perform > additional checks.. what is missing is the justification for the additional > work. > > DMARC is a tradeoff between keeping things as simple as possible (as > unnecessary complexity acts as a giant barrier to adoption), building on > existing technologies (as new code/libraries in the world of email means > tacking on additional calendar years), and solving a problem that hurts > enough to warrant doing anything at all. > > I don't believe TPA-Label hits the mark between "solving a big hurt" and > "simple". IOW, it's too complicated for the amount of pain it would resolve. > Just my opinion, take care,
Dear Tim, All that is needed is a few bandaids? The motivation behind TPA-Label was to ensure both quick and efficient methods to offer necessary feedback to receivers. DMARC already expects receivers to offer failure feedback to DMARC domains. Unfortunately, once the DMARC domain has decided which third-parties need to be granted exceptions, there is no way to do so. It seems dangerous to suggest this can be hard-coded in the form of informal lists indicating which DMARC domains should be ignored. In the case of Yahoo, there is a real issue they are attempting to mitigate. It would be nice to have a solution able to deal with massively compromised user accounts, as ugly as that is. This is an issue that is not going away any time soon. The issue is much worse in China, for example. Please don't decide being helpful in such situations is simply too hard. Is it really better to create lists about which domains get ignored? It seems this quickly degrades DMARC's initial intent, which was to offer results receivers felt safe to act on. Is this still a worthy goal? Regards, Douglas Otis _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
