On Fri, Mar 31, 2023 at 3:05 PM Murray S. Kucherawy <superu...@gmail.com> wrote:
> On Thu, Mar 30, 2023 at 8:34 PM Douglas Foster < > dougfoster.emailstanda...@gmail.com> wrote: > >> The world has changed. Insecure mailing lists did not matter in the >> days before email became a weapon. >> > > A comparison was made to the global deployment of HTTPS to replace HTTP. > There have been other examples in my career, like replacing rsh and telnet > with ssh. In those instances as well, the world had changed. There > appears to be a claim that DMARC is another instance of the same kind of > evolution and it ought to be embraced. > > The problem, I believe, is that there is not clear consensus that the > community wants this, because the benefits are not strictly incremental. > When you change the URI scheme you're using from "http" to "https", there's > some complexity introduced in the implementations, but your experience as a > consumer is largely the same yet is secured against snooping or tampering > in transit. It's a clear win. > Absolutely a false assertion. When browser providers decided to stop supporting HTTP and only support HTTPS, there were websites not reachable that people wanted to reach. That is the very definition of broken interoperability. Websites that wanted to be reached (which hadn't already switched) needed to switch to HTTPS in order to remain reachable. > The same is true of moving to ssh. > Not exactly true. I'm presuming you are indirectly referring to telnet. Surprisingly, even today it is possible to find servers that accept telnet connections. The two parties can choose the connection protocol to use. > > > But when you deploy DMARC and force lists to change the way they work, the > experience is altered in a way users perceive as a degradation. We're > taking something significant away, and the benefit is not perceived to be > worthwhile. > It may or may not be true for any given situation. You are assuming facts not in evidence. There are end users who do not subscribe to email lists. My wife is one such person. If users overall were truly upset as you indicated, we would have expected users to flee en masse from the large free webmail providers after they switched to p=reject. And yet they are still around providing email services to millions and millions of users. I guess the point that I'm trying to make is that reality is nowhere near as neat and simple as some might make things out to be. I would support SHOULD NOT but I think MUST NOT is a bridge too far. It falls into the category of King Canute commanding the waters to retreat. Publishing a standard (MUST NOT) which you know <some/many> will ignore reduces the credibility of a standards organization which does so. SHOULD NOT with an admonishment and explanation as to potential consequences makes more sense to me. Michael Hammer >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc