On 3/19/2025 7:03 AM, Dotzero wrote:
On Wed, Mar 19, 2025 at 7:09 AM Barry Leiba <barryle...@computer.org>
wrote:
I note that we are shutting down the DMARC working group without
completing the failure reporting document. We have discussed what
to do about failure reporting,but never made a decision. We need
to decide now.
I see three options:
1. Continue discussing the document, complete it, and ask Andy to
AD-sponsor it.
2. Abandon the document, leave failure reporting as it had been,
and refer people to the old (Informational) DMARC spec for
documentation of it.
3. Abandon the document and deprecate failure reporting. That
would involve mentioning failure reports, noting that they have
been seldom used and problematic, and stating that their use going
forward is not recommended.
I recommend that we do (3), and call for objections to that path.
If you agree with (3), please note that here. If you prefer (1)
or (2), please state that and say why. If you see another
reasonable option and prefer it, please describe it.
Please post your opinion by the end of March.
I’ll note that options 2 and 3 require adjustments to the approved
drafts, and will need Andy’s review and approval for the changes.
Barry
As one of the people who originally came up with DMARC, I strongly
disagree with approach 3. We could have kept DMARC a "private club"
that created value only for those invited to participate. Instead the
participants in the effort felt that the value created should be
publicly available to everyone through a public standards effort and
that IETF was the natural place for such an effort. Failure Reports
are part of that value proposition. They are currently being provided
today but privately.,as a result of privacy and liability concerns
stemming from various regulatory frameworks from governmental bodies.
The real question we should be trying to answer is whether or not
provision of Failure Reports should be kept a public documented
standard or recede back to a private club monetized by 3rd party
intermediaries with no hope of it returning to be an open public
standard. The question as laid out by Barry is strictly procedural
without regard to whether there is value in keeping Failure Reports a
public open standard. I appreciate that the DMARCbis effort has been
long and arduous. People are tired. If option 3 is chosen, Failure
Reports won't go away. Their form and function will simply become
controlled by a handful of large players. There is also the risk of
divirging format and implementations if individual large players look
to their own interests. Ultimately, option 3 is a bad choice when
considering the interests of the community at large and open standards..
While I prefer option 1, I can reluctantly accept option 2 as it
allows " a second bite of the apple" at a later point if the IETF
email community decides to take up the effort at a later point..We are
so close. Let's complete the journey we started.
Michael Hammer
_____
+1 to the points and preferences raised here.
- Mark Alley
_______________________________________________
dmarc mailing list -- dmarc@ietf.org
To unsubscribe send an email to dmarc-le...@ietf.org
