On Thu, Apr 6, 2023 at 9:19 AM Baptiste Carvello < devel2...@baptiste-carvello.net> wrote:
> Hallo, > > Le 06/04/2023 à 01:46, Dotzero a écrit : > > > > Not at all. The discussion (and specific post I was responding to) was > > about mailing lists but it also applies more generally. A number of > > years ago I saw bounces from a Polish domain. Their policy was that if > > the From and the Mail From didn't match they would reject the inbound > > email. I find that absurdly limiting but they can implement whatever > > policy they want. Maybe there are sending domains that do that for all > > their mail. My point is that domain owners/admins, at least on certain > > levels, get to choose how they interact with other networks/servers. > > Yeah, but this is where DMARC comes in, and muddies the responsibilities > that come with those choices. Originating domains (quoting Todd Herr) > just "use p=reject as a signal to declare that they got all outgoing > mail authenticated". Evaluators candidly comply with the originator's > wish to have unauthenticated mail rejected. None of them is taking > responsibility for the breakage they collectively are causing to mailing > list (etc…) operation. > Again, not at all. You are quoting Todd's opinion, which does not equal a fact. A domain publishing a p=reject policy is only a signal that the domain wishes email that fails to validate to be rejected, nothing more and nothing less. When we (Yes, I was part of the original dmarc.org team) created DMARC and published it in 2011, we were focused on a point solution to what we perceived as a point problem. That was direct domain abuse of transactional emails from organizational domains which had few or no end users. We recognized that there was a risk of DMARC being implemented by domains with many individual users but felt that the potential downsides limited the likelihood of that happening. When Yahoo and AOL implemented DMARC with a p=reject policy within weeks of each other in 2014, it was because each organization was enduring major impersonation attacks against their users. My understanding is that in both those cases the decision to publish p=reject was made by the top business leader(s) of each organization as a business decision, not a technical one. Since that time, many other organizations with lots of end users have faced similar attacks. So Baptiste, what responsibility do you expect these organizations to undertake? I'm asking this as a serious question, not a rhetorical one. In all seriousness they are/were focused on addressing their, potentially existential, problems and not those of others. One might state that is a very selfish attitude. I would agree and then suggest such a statement changes nothing. I haven't faced that situation or choice so I'm not in a position to answer what I would personally do if faced with those choices. I will point out that in many cases organizations make the decision as a result of being under attack. Avalanches of bounces inflicted upon uninvolved third parties are a > major interoperability problem caused by DMARC. This should not happen > without either the originator or the evaluator breaking a MUST > requirement. Otherwise, DMARC itself is responsible for the breakage. > I again invoke King Canute. There are other things which can cause avalanches of bounces. It's a shame. The fact that it is happening suggests that mailing list operators and others face choices. Simply wagging a finger and shouting "YOU BROKE A MUST NOT" is hardly an effective response. > > > I also don't think it would be pretty but it's within the realm of > > options they can choose from. > > You talk, but you know they won't really do it. Because they're not > trying to coerce you into changing your way of operating. > I personally don't know what (generic) others will or won't do. If faced with avalanches of bounces and the risk of getting blocked overall by large receivers, some list owners have in fact blocked inbound messages from domains which publish p=reject. This may have been a temporary expediency while they decided on other measures, but it has happened. > > BTW, From munging has not become any "neater" than it was 2 years ago. > Or 2 years before. As long as there is no proven solution (ARC?), > rehashing the same pseudo-moral arguments is not helpful. > I certainly haven't engaged in pseudo-moral arguments. I'm looking at it from a very pragmatic perspective. Do you create or update standards based on the reality of what is happening or do you take an Ivory tower approach in which the standard you promulgate bears little relationship to what is happening in the real world? I think Ale's post to the list impersonating Alex is a perfect example of why playing the "MUST NOT" card is insufficient and should be reconsidered. Michael Hammer
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
