It appears that Murray S. Kucherawy <[email protected]> said: >-=-=-=-=-=- > >On Wed, Oct 23, 2024 at 9:59 PM Steven M Jones <[email protected]> wrote: > >> The way I read Track 1 of the charter, the WG was to "reduc[e] or >> eliminat[e]" effects on indirect mail flows, but it doesn't state that the >> DMARCbis spec itself has to be what does it. And I don't see where in Track >> 2, "Reviewing and improving the base DMARC spec," that it says DMARCbis >> revisions themselves must remediate impacts on indirect mail flows. >> > >I think it is (or would be) fine if we had some other document to advance >that "reduces or eliminates" effects on indirect mail flows, but I don't >think that's happened. Again, I'm happy to be corrected. > >You raised ARC, which is the obvious answer, but I also concur with your >point that we've fallen short of actually proving anything by collecting >and publishing efficacy results, despite me asking more than once.
You're right, we don't. Large mail systems tell me that they find ARC somewhat useful but I don't expect it to get much more popular. Every recepient system needs to have an idea of whose ARC signatures they trust, and a fairly complicated analysis of the headers and that scales poorly. The best we've come up with is to tell people that if your mail goes through indirect paths, don't use a DMARC policy. This is a tradeoff: we think the loss of interoperability is worth the increase in phishing that gets through. We also have a strong minority position that goes the other way, publish a policy because the gain in phish resistance is worth loss of interop. I don't agree with this, but it's not unreasonable. While we in the IETF are acutely aware of the mailing list issues, we are very atypical. People at large mail systems tell me that about 1% of their mail is affected by the list issues. The people who get that mail really want it, but the vast majority of mail users have no idea what a mailing list is, and if someone said he's willing to make that tradeoff and lose the list users, I don't have a strong argument that he's wrong. Here in the IETF we make tradeoffs between security and interoperability all the time. An obvious example is DNSSEC. While it definitely makes the DNS more secure, I can tell you from personal experience that DNSSEC is fragile and hard to manage, and sometimes it fails and my DNS zones disappear until I fix it. I think the tradeoff is worth it, but when you look at how few people use DNSSEC, including large systems like Google, I'm in the minority. So it seems quite odd that for DMARC the IESG demands perfect interop, even though we have a long history of looking at the interop/security tradeoffs of the things we design and letting people decide. Finally, we haven't given up trying to make the interop better. I think that DKIM2 has learned from the reasons ARC failed and is likely to succeed, but not for a while. R's, John _______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
