I’m with Doug on this one. The bandage should be pulled off quickly and sympathy expressed to those who miss backward compatibility. I wouldn’t say utilitarianism is the right frame but here why wouldn’t it be morally right not to mention technically sound to inconvenience and anger the few to create positive downstream effects for the majority.
If mailing list managers were also flogged then my opinion would shift right back in favor of the manager. Regardless, I feel gratitude for the work of ml managers but I’m sorry maybe the day has come to discuss making decisions for the community as a whole even if it inconveniences (granted not trivially).
I had trouble sleeping so I hope my response holds up as being reasonable when I re read it in the morning. Thanks.
Neil On Mar 29, 2023, at 7:01 PM, Douglas Foster <dougfoster.emailstanda...@gmail.com> wrote:
If my cigarette smoke inconveniences 100 people on my plane flight, should I come prepared to go smokeless or should they come prepared with masks? The mailing list problem is created by mailing list practices, and it is the mailing lists problem to solve the problem they created.
We actually have an abundance of options for them right now: - Do not alter content.
- Mung the From address
- Use ARC to indicate that the list is forwarding and modifying traffic from someone else.
- As part of the subscription process, require subscribers to get a filtering exception implemented for the list traffic.
- Use test messages to determine whether a recipient domain blocks on p=reject, and do conditional munging for only those recipient domains that need it.
In the case of this IETF list, probably zero participants need From munging, but IETF mungs everything from Comcast because they are unwilling to attempt conditional munging. So Comcast should allow its domain to be impersonated so that IETF does not have to collect and use subscriber-specific information?
For any mailing list trust system to work, the mailing list would have to be trustworthy. Most mailing lists should be able to require 100% SPF PASS on posts, as well as exact match between MailFrom domain and From domain, because posts should be individual contributions. However, the testimony of knowledgeable people in this group is that most mailing lists cannot be bothered to enforce sender authentication at all. These lists aren't protecting their subscribers from impersonation fraud, yet they are complaining that evaluators are suspecting them of forwarding impersonation fraud. That is hypocrisy.
Someone please explain to me why everyone should make themselves more vulnerable to ransomware and other attacks so that mailing lists can avoid being inconvenienced and avoid having secure operating practices.
Doug Foster
1. IETF has installed a very ugly workaround to the problem, rewriting the "from" header field. It's absolutely a workaround, and not a proper solution.
2. Without the workaround, the real pain is not that a message from Comcast posted to the list doesn't get to you (though that's true): the real pain is that if Valimail rejects (bounces) those messages, the Mailman software will eventually unsubscribe you -- YOU, not the Comcast user -- from the list for exceeding the bounce threshold.
3. Even with the workaround, I see, as a list owner, several unsubscribe notifications a week due to excessive bounces.
The damage to mail list operations is real, and expecting every mailing list manager to install an ugly workaround is not the right answer. Telling those deploying DMARC what interoperability problems an inappropriate choice of p=reject causes, and telling them not to do that... is the right answer.
And, as I said, when they decide that their needs are more important than those interoperability problems, they have that right, and at least they will now be making an informed decision. The standard needs to say this.
Barry
Colleagues,
Can someone please point me to a mailing list server or other indirect mail flow that I might somehow engage with so that I can experience the pain of not having a message reach its destination when sent with a policy of p=reject?
I post to various IETF mailing lists from my work address, and my employer, like Mr. Brotman's, publishes a DMARC record with p=reject. Thanks to the work of the folks who manage the IETF mailing list software, my participation in these discussions is not hindered in any way; I can post to lists, people can reply directly to me if they choose, and I can reply to the list and/or to the author of any post without any extra work on my part.
This leaves me in a position where I do not appreciate how a DMARC policy of p=reject can harm interoperability, or perhaps better stated, I do not appreciate that it does harm interoperability. I understand that it can, because SPF can fail when mail transits intermediaries and DKIM can fail if the intermediary alters the content of the message. That said, I cannot recall seeing a bounce attributable to a DMARC failure in the three years that I've worked here (nor for the year or two prior when my previous employer deployed p=reject) and so I want to be able to send a message that would result in such a bounce.
Can anyone help me?
Thanks.
-- Todd Herr | Technical Director, Standards and Ecosystem m: 703.220.4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
|
