On 07/24/2018 03:16 PM, John Levine wrote:
Turning it on for aol.com, yahoo.com, and other domains with user mailboxes,
So, are you stating that DMARC should NOT be used on domains that (predominantly) contain end user mailboxes?
to outsource the pain of the spam they were getting
I'm not completely following you. Are you referring to filtering of inbound email that AOL / Yahoo / etc. were having to do? If so, I don't see how publishing DMARC effects that. (I assume that they did not need to publish records to enhance filtering email from themselves.) Or are you referring to "the pain" as being the push back / flack from the rest of the email industry for spoofed messages purporting to be from AOL / Yahoo / etc?
due to letting user address books be stolen.
I don't know about AOL's security posture, but I do have a little idea about how bad Yahoo's was. - I still don't know that I would say that they allowed it, as in welcomed it.
IMHO it has been trivial to harvest email addresses for a LONG time. As such, I think that address books are simply a convenient list and not strictly related. Please correct me if I'm wrong.
Right, thereby causing a great deal of entirely legitimate mail that DMARC cannot describe to go missing, along with a certain amount of spam.
"legitimate mail that DMARC cannot describe" That sounds distinctly like a problem with the DMARC specification, /not/ with use there of.
Aside: The (relatively?) recent conversion from analog TV to digital TV broadcasting in the US comes to mind.
I feel like DMARC requires a paradigm shift in how email is forwarded and handled by mailing lists. (I'm sure there are some other uses that I'm forgetting.) Much like the aforementioned conversion from analog TV to digital TV.
Or similarly the requirement for reverse DNS for mail servers. Personal opinions aside, it seems as if the email industry has decided that requiring reverse DNS is a mostly good thing. Or that the good (slightly) outweighs the bad.
We've been cleaning up their mess ever since.
I question if the mess is /really/ AOL's or Yahoo's doing, or if instead the problem was really related to (what I'm going to describe as) a questionable way of operating that we now must change to play well with DMARC.
Yes, they explicitly decided that the costs they imposed on innocent bystanders were Not Their Problem.
Please elaborate on what "the cost" is and entails. Are you referring to anything more than the fallout of not being able to (easily) forward email in a DMARC compliant manner?
I suspect "imposed on innocent bystanders" and "not their problem" can also be used to describe requiring reverse DNS, SPF, and DKIM.
-- Grant. . . . unix || die
------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
