>In fact an argument can be made that in terms of responsible mail handling, >DMARC is actually an improvement over ADSP. In particular, ADSP provides policy >choices of "unknown", "all", and "discardable", wheras DMARC provides "none", >"quarantine", and "reject". Honoring a "discardable" policy causes mail to be >lost, whereas at least "reject" provides an indication that something went >wrong. Discardable was supposed to be a feature, to avoid backscatter, and on the theory that if the mail is that awful, the sooner it goes away the better. Given the current DMARC fiasco, I'd say it was not a bad choice. I pointed out at the time that "discardable" did not mean your mail was important, on the contrary it meant that your mail was unusually unimportant, since you were telling people to throw it away if there were any doubt about it. >The fact that ADSP was developed in tandem with DKIM also means that the IETF >cannot reasonably claim that attaching these sorts of semantics to From: fields >was in any way unexpected. As such, there was at least a responsibility to >document likely interoperability problems use of DKIM in this way would cause. Well, I tried. I shoehorned my way into the ADSP draft because I anticipated almost exactly the problems with ADSP that we're seeing with DMARC. The other authors didn't disagree, but did say that they wanted each domain to be able to publish its own policy. I thought that was a lousy idea, because I saw no reason to expect that domain owners would publish reasonable policies, but instead would tend to publish overly strict policies in the mistaken belief they were "more secure". I turned out to be right, since around the time that ADSP was published, some subscriber to IETF lists published a discardable policy, which was wrong, and someone else overimplemented ADSP with rejections rather than discards, which was really wrong, and the latter group promptly bounced themselves off the IETF list. What I said at the time was that rather than ADSP, you wanted credible third parties publishing lists of domains for which strict ADSP-like behavior was appropriate. That's exactly what happened--look inside spamassassin and you'll find a module nominally about ADSP, but with the real ADSP checks turned off by default and a short list of fake ADSP entries for the usual suspects, ebay, paypal, etc. The only thing I got wrong was that I expected the damage to come from large numbers of small clueless operators publishing strict policies, like a flock of tiny gorillas beating their wee chests and shouting "Fear us, O Internet!" in high squeaky voices. It never occurred to me that two of the largest and most sophisticated mail operators in the world would do such a thing. R's, John