Michael Jack Assels writes:
> > I can't think of any. Some, many, or most of them were supposed
> > to be, but it has never turned out that way. I don't know why
> > DMARC is being held to a different standard.
>
> Isn't DMARC holding itself to a different standard?
That's a reasonable interpretation given the choice of mood ("reject"
is a command), but in the end it's untenable. As Murray says,
"policy frameworks" have been tried before, and they just don't work
for "generic" email, although they work very well (as indeed DMARC
does) for several important, but restricted, mail flows.
The problem with "generic" email is that the incentives of Author
Domains which provide mailboxes for personal use are poorly aligned
with the incentives of their mailboxes' users. Specifically, Author
Domains consider spam-fighting priority one, and consider mailing
lists and other indirect flows at best neutral, and often on net a
nuisance, while their users want to participate freely in indirect
flows (leaving the costs of spam-fighting up to the Author Domains).
> What's a receiver supposed to do with unaligned mail whose "From:"
> domain specifies p=reject?
Whatever they want to. If they think they can do filtering better
than the sender, they may choose to ignore it, and there's nothing
that can be done about it. Furthermore, I don't see why anyone other
than the receiver's mailbox users should care what the receiver
chooses to do.
> Clearly, the domain owner is explicitly asking that the message be
> rejected.
No, they are not, not in the case of AOL and Yahoo!. Representatives
of both domains have thanked MLM developers for providing mitigations
so that messages that in the normal (until DMARC) course of events
would fail From alignment can be delivered to DMARC-participating
receiving domains which (since DMARC) would reject them. Thus, Yahoo!
and AOL are clearly taking the position that they would like those
messages to be delivered.
Hector, J. Gomez, Franck, and others take the position that the world
has changed due to spam and phishing, and therefore "what *was*
normal" is now irrelevant. The new norm is conform to DMARC and other
dictatorial sender policy frameworks or you're part of the problem.
I disagree. Spamming and phishing are the problem, traditional
practices of mailing lists are not.
> If DMARC intends that this be merely one of many factors to
> consider, then doesn't it boil down to nothing more than
> p=do-whatever?
No, there is valuable information in the policy. As far as I can see,
the semantics of "p=reject" are
We have a serious spoofing problem. It is so serious compared to
the potential damage due to rejecting legitimate messages that we
accept all responsibility for nondelivery and collateral damage if
you choose to reject.
In the case of direct mail flows, the potential damage due to
rejection of legitimate mail is very low, and the potential damage
from accepting spoofed mail is extremely high. If you know that a
mail flow is direct, as a receiver you'd be crazy not to reject, and
as a sender you'd be crazy not to accept the responsibility for
receivers rejecting.
In the case of indirect flows, receivers may (or may not) want to
prefer their judgment to that of the author domain, because often the
expected damage from accepting is much lower, and the expected damage
from rejecting much higher.
> Yes, I know that receivers can and will do as they please, but some
> receivers would be pleased as punch to cooperate in a scheme that
> gave solid proof of a message's illegitimacy in every case where it
> was asserted.
Murray's point is that "proof of illegitimacy" is probably a pipe
dream, as shown by past experience with "policy frameworks".[1]
Legitimacy, on the other hand, is fairly easy to prove, as DMARC shows
in daily use by financial institutions and in other transactional mail
flows.
Footnotes:
[1] Hector is right that they haven't really been tried, but I don't
think the chance that they'll be tried in the future is high, because
the reasons they've been hard to implement in the past remain true.
The big problem is that policy frameworks proposed so far "work" only
if you define "legitimacy" tautologically: if it gets past the policy
framework, it's legit, else not. That's not what my users want,
though. They want to receive the mail they want to receive, and
otherwise not, and no policy framework so far has shown promise of
implementing that.
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
