On Wed, Mar 19, 2025 at 7:09 AM Barry Leiba <barryle...@computer.org> wrote:
> I note that we are shutting down the DMARC working group without > completing the failure reporting document. We have discussed what to do > about failure reporting,but never made a decision. We need to decide now. > > I see three options: > > 1. Continue discussing the document, complete it, and ask Andy to > AD-sponsor it. > > 2. Abandon the document, leave failure reporting as it had been, and refer > people to the old (Informational) DMARC spec for documentation of it. > > 3. Abandon the document and deprecate failure reporting. That would > involve mentioning failure reports, noting that they have been seldom used > and problematic, and stating that their use going forward is not > recommended. > > I recommend that we do (3), and call for objections to that path. If you > agree with (3), please note that here. If you prefer (1) or (2), please > state that and say why. If you see another reasonable option and prefer > it, please describe it. > > Please post your opinion by the end of March. > > I’ll note that options 2 and 3 require adjustments to the approved drafts, > and will need Andy’s review and approval for the changes. > > Barry > > As one of the people who originally came up with DMARC, I strongly disagree with approach 3. We could have kept DMARC a "private club" that created value only for those invited to participate. Instead the participants in the effort felt that the value created should be publicly available to everyone through a public standards effort and that IETF was the natural place for such an effort. Failure Reports are part of that value proposition. They are currently being provided today but privately.,as a result of privacy and liability concerns stemming from various regulatory frameworks from governmental bodies. The real question we should be trying to answer is whether or not provision of Failure Reports should be kept a public documented standard or recede back to a private club monetized by 3rd party intermediaries with no hope of it returning to be an open public standard. The question as laid out by Barry is strictly procedural without regard to whether there is value in keeping Failure Reports a public open standard. I appreciate that the DMARCbis effort has been long and arduous. People are tired. If option 3 is chosen, Failure Reports won't go away. Their form and function will simply become controlled by a handful of large players. There is also the risk of divirging format and implementations if individual large players look to their own interests. Ultimately, option 3 is a bad choice when considering the interests of the community at large and open standards.. While I prefer option 1, I can reluctantly accept option 2 as it allows " a second bite of the apple" at a later point if the IETF email community decides to take up the effort at a later point..We are so close. Let's complete the journey we started. Michael Hammer
_______________________________________________ dmarc mailing list -- dmarc@ietf.org To unsubscribe send an email to dmarc-le...@ietf.org
