Start with the underlying objective: Evaluators SHOULD accept mailing list traffic.
Google's requirement: Given whatever standards-track DMARCbis rules we produce, these rules MUST be something that can be fully automated. Consequently, the problem remains: How does an evaluator distinguish between a legitimate list and a malicious attack? My answer: Lists need to use From munging to avoid DMARC FAIL, and hope that sophisticated evaluators will use ARC data to un-mung before delivery. This seems like a complete solution, and the only one which does not ask evaluators to weaken their security defenses. DF On Fri, Jul 7, 2023, 8:44 PM Murray S. Kucherawy <superu...@gmail.com> wrote: > Still no hat on. > > I can see the compromise in language that's been proposed here, and I > appreciate the effort by the chairs. > > Two things I'd like to raise. First: > > On Thu, Jul 6, 2023 at 7:55 AM Barry Leiba <barryle...@computer.org> > wrote: > >> It is therefore critical that domains that host users who might >> post messages to mailing lists SHOULD NOT publish p=reject. >> Domains that choose to publish p=reject SHOULD implement >> policies that their users not post to Internet mailing lists. >> > > Some of my IETF mentors (ahem) taught me some stuff about the use of > SHOULD [NOT] that have stuck with me, and I'm going to pressure test this > against that advice. Let's see how this goes. :-) > > "SHOULD" leaves the implementer with a choice. You really ought to do > what it says in the general case, but there might be circumstances where > you could deviate from that advice, with some possible effect on > interoperability. If you do that, it is expected that you fully understand > the possible impact you're about to have on the Internet before > proceeding. To that end, we like the use of SHOULD [NOT] to be accompanied > by some prose explaining when one might deviate in this manner, such as an > example of when it might be okay to do so. > > Does anyone have such an example in mind that could be included here? > Specifically: Can we describe a scenario where (a) a sender publishes > p=reject (b) with users that post to lists (c) that the community at large > would be willing to accept/tolerate? > > The second thing is that the level of disruption we saw on the IETF lists > when "p=reject" was rolled out prematurely suggests to me that > "interoperability issues" by itself is a bit more euphemistic than is > deserved. Can we add in a word like "serious" or "substantial"? > > -MSK > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc