Folks,
We (really I) support perhaps 2 dozen small email lists, for a bunch of
community groups (PTOs, churches, neighborhood groups) - mostly the
legacy of previously running a small hosting firm, and still having the
machines sitting in a data center. The kinds of groups with lots of
non-technical users who have email accounts on Yahoo, hotmail, AOL,
Comcast, and such. The lists range in size from tiny (5 person boards
of directors) to maybe 1000 (high school parents).
Yahoo's implementation of it's new DMARC policy has been an absolute
disaster. Kind of messes things up when a few days before tax filings
are due, and in parallel with the Heartbleed mess, (not to mention the
work that pays the bills), roughly 1/3 of the addresses on almost all of
the lists start bouncing mail from yahoo addresses - particularly when
yahoo's postmaster didn't have a clue what was going on (my initial
thought was - oh heck, need to get back on their whitelist). Luckily
gmail seems not to be honoring the Yahoo's p=reject policy, at least so
far, or things would be a LOT worse.
Still trying to figure out a reasonable fix for this, as it looks like
lots of other listmasters are trying to do - and doesn't help that I'm
running a less common list package (sympa).
Anyway - one of my reactions to this is that something is really broken
about the process by which DMARC and Yahoo's policy have been foisted on
the larger Internet community - and in particular IETF's role or lack
thereof. Specifically:
- DMARC is an ad-hoc group that assembled with a "common goal was to
develop an operational specification to be introduced to the IETF for
standardization"
(http://dmarc.org/about.html)
- DMARC.org defines the "DMARC Base Specification" with a link to
https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base/ - an IETF
document
- the referenced document is an informational Internet draft, that
expires in October of this year, that starts with "This memo presents a
proposal for a scalable mechanism by which a mail sending organization
can express,.
- It's also being presented as mature - through such publicity
statements as "DMARC standard now protects almost two-thirds of the
world's 3.3 billion consumer mailboxes worldwide"
(http://dmarc.org/news/press_release_20140218.html)
In essence, DMARC is being represented as a mature, standards-track IETF
specification - with the implication that it's been widely vetted, and
is marching through the traditional experimental -> optional ->
recommended -> mandatory steps that IETF standards go through.
In reality:
- DMARC was developed by a tiny number of people, all of whom work for
very large ISPs
- as far as I can tell, all input from the broader community - notably
mailing list developers and operators was roundly ignored or dismissed
(the transcript is really clear on this)
- while DMARC is at least partially tested, deploying and honoring
"p=reject" messages is brand new, and has wreaked tremendous damage
across the net
- as far as I can tell, those who are behind DMARC are taking the
position "it's not our problem" (see discussions on
dmarc-discuss@xxxxxxxxx and dmarc@xxxxxxxx) - and there is nary a Yahoo
representative to be seen anywhere
From an operational perspective, this is akin to a large player
publishing a corrupt nameserver database or routing update - and then
actively resting attempts to clean up the mess (which, in effect is what
Yahoo did by updating their DMARC record to p=reject).
The situation strikes me as incredibly perverse and broken - the more so
that the perpetrators are presenting this as blessed by the IETF
standards process.
It strikes me that IETF should weigh in on this in a formal fashion - if
only to make it very clear that IETF is not responsible for this
debacle, and perhaps to exert some moral influence on the perpetrators
to back off and help clean up the mess they've created.
On a broader scope - this sort of points out a really big hole in our
consensus governance process - when one bad actor can inflict damage
across the entire Internet, apparently, with impunity.
Miles Fidelman
--
In theory, there is no difference between theory and practice.
In practice, there is. .... Yogi Berra