On Thu, Mar 26, 2015 at 11:22 PM, Stephen J. Turnbull <[email protected]> wrote:
> Murray's point is that "proof of illegitimacy" is probably a pipe > dream, as shown by past experience with "policy frameworks".[1] > Legitimacy, on the other hand, is fairly easy to prove, as DMARC shows > in daily use by financial institutions and in other transactional mail > flows. > Put another way, you only really know something when DMARC, DKIM, SPF, etc. produce a passing result. (Due credit to Dave for this observation.) All of them have false negatives with respect to anything that's not a direct mail flow, so "fail" results don't tell you anything conclusive if you plan to accept any sort of mail that isn't direct. What Hector characterizes as a watering down of SPF with the publication of RFC7208 was merely this fact put into text, even though it's been true since RFC4408. > Footnotes: > [1] Hector is right that they haven't really been tried, but I don't > think the chance that they'll be tried in the future is high, because > the reasons they've been hard to implement in the past remain true. > I agree. And although Hector likes to ascribe considerable power and influence to me, I'm not the one standing in the way of their success. I would happily embrace any such solution that stood a chance of working. I, and others, simply ask some basic questions about scalability of such solutions, their complexity, and their ability to be "gamed", and then they never go anywhere because there simply aren't any good answers to those questions. Thinking I might be wrong, and since the same people insist I am, I published RFC6541 (ATPS) as an experimental draft to try to tackle the third-party problem, and made a free version of it available via open source. That was over three years ago. There has been exactly one site (one person, rather) that tried it besides me and reported back about its effectiveness. Though Doug will shortly claim that ATPS saw no uptake because it is "flawed", I also had a grand total of zero operators report that they were using it in any modified form or asking me to add this or that to it before they would deploy it to production. It wasn't just an idea, it was a reality, but nobody came to play. Policy and third-party solutions haven't failed because of some cabal keeping them from seeing the light of day, unless by "cabal" you mean "group of people who agree that this won't work." These are hard problems, and the last thing any of us should want to do is foist yet another blob onto the global email infrastructure that has not been properly vetted. If an idea doesn't stand up to scrutiny or gets no uptake, or can't even get consensus in a small working group, what prayer does it have for success on the greater Internet? I want to make things better, not worse. There are those among you that disagree, I know. Does anyone have actual data (not theory, not passion, but data) that any of the policy or third-party solutions we've discussed before can work, work just about everywhere, and work at scale? If the answer to that is "no" (or, as usual, silence), then I suggest this (still!) isn't a productive use of our precious time or energy. -MSK
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
