Dear Shal, See comments inline:
On May 21, 2014, at 4:45 PM, Shal Farley <s...@roadrunner.com> wrote: > Douglas, > > > Sorry about being slow to respond. I am working on a document that > > should permit Author-Domains a means to assert exceptions permitted > > for specific authenticated domains (based on their review of DMARC > > feedback as a means to permit actual user behaviors.). This is > > information recipients simply do not have and represents something > > that only the Author-Domain should be making. > > I doubt I'm fully understanding your proposal, but it sounds like another cut > at closing the trust gap by pushing authentication from the sender > (author-domain). Not exactly. The proposal does allow the author a say in what exceptions should be made in an effort to ensure the cooperation they are seeking is lost because of receivers increased support costs when they are mislead into rejecting or quarantining a message that was in fact legitimate and very much desired by the recipient. > But it doesn't seem reasonable to me, as a user of brand R ESP and subscriber > to a brand Y list, that the various author domains of the other list members' > brand A, B, C, ... ESPs should determine whether or not I can receive those > members' messages. Why is it that you assert that only the Author-Domain > should be making those decisions? Subscribing to brand 'Y' costs nothing as it has for decades. Many small community organizations such as churches and theater groups make extensive use of these services. I'll use Yahoo as an example of what can go wrong, while at the same time it is not right to then blame those offering third-party services. It could be an accountant sending out invoices on behalf of their client by placing their domain in the Sender header field and that of their client into the From. When what was once a normal email channel gets saddled with new From/source domain alignment requirements, those making the change should know in advance what will break and which exceptions are needed. After all, that is the purpose of all the receivers cooperating with author-domains. The Author-domain is normally attempting to protect their brand by making assertions that are likely acted upon. This then runs head long into situations like Yahoo, where as a result of one of their contracted services, exposed millions of accounts. Even after these accounts are restored to their rightful owners, the malefactors now have information to then do evil things to their acquaintances. Considering the liability potential, it is not surprising they took the rather drastic action of asserting if the From is not aligned with our server, please reject the message. John Levine may argue there should have been another choice of "discard", however DMARC was about ensuring delivery as much as it was about protecting recipients of their services from abuse. The choice of discard takes you rapidly down a slippery slope of email becoming too unreliable for serious use. > I don't get what information in the DMARC feedback could possibly be of value > in this circumstance - all that tells the author domain is what decisions my > (and other) ESPs made with regard to the message. And no one else sees that information. It provides the author-domain two general categories of knowledge: 1) Who is spoofing their author-domain 2) Which legitimate messages might be lost For item 2, the author-domain will be able to specify authenticated sources for their messages. It will also allow the author-domain to add what should be in the Sender header to deal with outside administrative services or what should be in the List-ID to deal with mailing lists, such as this one. > The DMARC feedback tells them nothing about how much I value that message > content - especially in those cases where I never get to see the content due > to my ESP's decisions. The goal would be to take a marketing negative and change it into a positive. By carefully deploying DMARC + TPA, they can then claim to be protecting their users and their users' recipients from being spoofed. This can be done while also allowing email to continue functioning just as it does now. My inbox shows someone is attempting to compromise one of my accounts as I type this message. I would see it as a positive when messages by such malefactors are refused so I don't see this nonsense. Repeated attacks continuing over several days tells customers to look elsewhere for a different service. > In fact, looked at the other way around, from the point of view of the > message list contributor (author), it sounds like you are giving his/her ESP > veto power over which mailing lists he/she can participate in, by the ESP's > choice of which list domains to permit. Your ESP currently decides which messages to send and which to place into an inbox. Some will go missing unbeknownst to you. In the case of an exigent situation with rampant criminal activity, it is normal to find greater latitude granted in such matters. > I think this speaks to a fundamental distinction between the kind of email > traffic DMARC was designed to facilitate, versus email list traffic. The > canonical DMARC message is one the author wishes to push to the recipient. > The canonical list message is one the author wants to push to the list > service, but from there the forwarded messages are much less the concern of > the author, and much more the concern of each recipient member of the list. DMARC + TPA can still work fine with email list traffic, outside administrative services, tell-a-friend invites etc. > That's why in terms of closing the trust gap, I think the extension should be > from me the recipient saying "I signed up for that list, I trust it's > judgment about message quality". The list is acting as my receiving agent. Most mailing lists have many eyes looking for trouble and normally are fairly quick at dropping offensive subscribers. Adding tags on the subject helps sort which messages were from which list, but these methods represent scoring games with odds always in the malefactors' favor. Unless defenses are robust and accurate, malefactors will keep trying until they find an in. > Having the author domain trying to decide which of the thousands (tens of > thousands?) of list domains should be granted permission sounds like a recipe > for endless user frustration. Yahoo suggested there are 30K of such services. At any point in time, there are more than 100M unique domains sending email. It is clearly the recipients who lack the tools needed to sort out this mess. After all, the author domain along with DMARC feedback is able to confirm which represents legitimate services and which don't. It is a matter of comparing feedback against outbound logs. > At least with the idea of each receiving ESP running its own whitelist of > lists, they have direct access to the receiving user's judgments as expressed > by "Spam" and "Not Spam" as a kind of crowdsourcing for the quality metric - > assuming first that they pass the messages to at least the Spam folder even > in the face of a p=reject author domain. User feedback is still guessing what is meant by "this is spam". Only the author-domain is able to make accurate assessments and end this guesswork. > My idea is not much different, I simply dispense with the overall whitelist > of lists and make that a per user list. Dumping the problem onto users is a good recipe for losing customers. This is the very thing DMARC was trying to prevent. Why would you want to step into mucking with guesswork? The author-domain can prevent services from being needlessly disrupted and knows with a high degree of accuracy which sources can be legitimate. Regards, Douglas Otis _______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)