On May 29, 2014, at 3:05 AM, John R Levine jo...@taugh.com wrote:
Really, that makes no difference. I don't want Yahoo or anyone else to pay
us to screw up our mail software to work around them -- I want them to spend
their money to fix things so we don't have to.
Yes, I get it, I guess in my own jaded way I don't think there is any amount of
money that Yahoo and AOL can spend that will fix things (because email isn't
owned by Yahoo or AOL). BUT, if Yahoo or AOL is willing to experiment, let
that experiment be me!
I replied to Doug earlier (not yet in archive), and hashed out my own thinking
around how much domain owners can do vs. how to address
legitimate-but-unauthorizable email.
TLDR summary: addressing legitimate-but-unauthorizable mail is my answer to
Scott Kitterman's question: How do we define the scope of work for this list?.
Yahoo, in their own blog, estimates there are 30,000 mail systems that they
have damaged by their DMARC actions. I would be surprised if there were more
than a few hundred mail systems acting on DMARC policies, although some of
those are very, very large. Is it that hard to understand why someone might
think it was unreasonable to demand that the 30,000 make changes of no
benefit to themselves, rather than the few hundred fix their buggy fussp?
I don't think there is/was a way for Yahoo to fix the estimated few hundred
mail systems acting on DMARC policies, especially since most are not controlled
by Yahoo. Maybe they could have published a list of 30,000 mail systems that
are white-listed, but wouldn't that just be a publication of 30,000 holes to
exploit?
The absolute most work I could imagine Yahoo and AOL having done would have
been to analyze and publish a series of articles/guidance on how impacted email
can be fixed, complete with accessible patches to all known mailing systems.
THEN, give the entire internet enough time to apply said patches. This is my
unicorn.
For the next 10 years, I'm going to attempt to recreate this unicorn.
The 30K estimate is probably low, since there are likely many small mail
systems they aren't aware of but that they are damaging. For example,
yesterday a middle school teacher who found my old Dummmies web site wrote to
me out of the blue to say that his web form that lets students and parents
send mail to him stopped working for AOL and Yahoo addresses, which just
disappear. It took about two seconds to figure out what was wrong when he
told me that his script sends mail to his Gmail account. I told him what was
wrong, and he did a hack that sticks in a fake From: address, so the mail
gets through but now his script works worse since he can't write back without
extra effort. If he hadn't written to me, he'd probably never have figured
out what was wrong. These are real people who are really hurt by the two
providers' actions.
In a similar vein, there are a fair number of businesses that do stuff like
encapsulate their customer mail with bling (fancy headers, pictures, footers w/
disclaimers... stationary), and they're having to figure out how to maintain
their service when sending on behalf of clients with Yahoo and AOL addresses.
What is missing is how am I supposed to do this right? I'm not being glib,
there's a real vacuum due to email being what it is, and it's a vacuum that I
personally don't think corporations can/should fill.
-= Tim
Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.
PS: Here endeth the rant.
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
