Re: [dmarc-ietf] DMARC as Signal to MLMs for Rewrites (or not)

2020-09-17 Thread Sabahattin Gucukoglu 
On 17 Sep 2020, at 20:59, Jesse Thompson 
 wrote:
> On 9/17/20 2:11 PM, Sabahattin Gucukoglu wrote:
>> Wouldn’t it be nice if you could ask for MLMs to transform, just using a 
>> DMARC policy, even p=none,
> 
> It is possible via p=quarantine pct=0.  
> 
> I think it makes sense to consider codifying beyond this defacto standard 
> hack.  Isn't this part of DMARCbis?  It was discussed, anyway.  Which ones 
> are active?  https://trac.ietf.org/trac/dmarc/report/1

These tickets seem to be relevant:
#22 (Perverse incentives to use p!=none & pct=0): 
https://trac.ietf.org/trac/dmarc/ticket/22
#73 (Need decision on importance of From domain): 
https://trac.ietf.org/trac/dmarc/ticket/73
#63 (Make p=none with no reporting URI invalid—Closed): 
https://trac.ietf.org/trac/dmarc/ticket/63

I did not realise that this “hack” had become widespread. I agree that it 
should be codified, or else p=none explicitly needs to support it (and in that 
case reporting must remain optional). I can’t speak to the pct parameter, 
because my sites are too small to really benefit from it.

Cheers,
Sabahattin

___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

[dmarc-ietf] DMARC as Signal to MLMs for Rewrites (or not)

2020-09-17 Thread Sabahattin Gucukoglu 
AFAIK, at the moment, MLMs doing transforms on headers to make messages 
DMARC-safe have no reliable way of knowing whether sender domains intended them 
to do so or not: there’s a heuristic that just says that in general, a DMARC 
domain enforcing an active quarantine or reject policy probably wants 
transforms.

Wouldn’t it be nice if you could ask for MLMs to transform, just using a DMARC 
policy, even p=none, so that you could test with a live environment containing 
MLMs that work around DMARC policy? Or you could ask for *no* transform, even 
for p=quarantine or p=reject, so that your DMARC policy can be used to 
legitimately restrict usage to directly-sent email?

For me the first is more important: I could make the case for DMARC much more 
strongly if I could rely on MLMs to implement a reliable workaround, under 
sender control, so DMARC-sceptics could challenge themselves to the actual 
consequences of the policy, without their enforcement, or continue to support 
traditional forwarding and/or mailing lists as neutral actors while positively 
impacting DMARC-safe mail. Without the workarounds being guaranteed, the 
current state of play, there’s no DMARC-safe future that works for everybody, 
IMO.

It’s reasonable to argue that these workarounds are horrible and I would. It’s 
also, unfortunately, everyday reality nowadays with two long-standing freemails 
using DMARC and all the major MLMs with support, and I have since been induced 
by practical experience to believe that, honestly, what matters for most MLM 
users is utility over functional purity. I have had at least one subscriber 
tell me that they _prefer_ the Mailman 2.16+ workaround because now they get 
the list name in the display name instead of the Subject making it easier to 
scan, and they can whitelist the list address to avoid the spam box or get 
notifications for list mail. I can’t even make myself care that Reply-to-all is 
broken—because that’s inevitably what people want for most lists, anyway. 
Heresy, I’m sure. :)

I still think DMARC’s use of the From: header is its biggest failing. Far 
better would have been to take the high road and use a dedicated 
Authenticated-Sender: (or likewise) header. MUAs would change, to explicitly 
distinguish authorship from “sendership”. But we are where we are. I could not 
call myself a fan of DMARC; I just think it’s inevitable.

Cheers,
Sabahattin

___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc