--On Thursday, July 17, 2014 02:46 +0000 John Levine
<johnl@xxxxxxxxx> wrote:
>>> DMARC is estimated to cover at least 60% of the world's
>>> mailboxes.
>>
>> That's an interesting number, but how was it computed/counted,
>> and what does it mean in reality.
>
> It certainly means Gmail, Yahoo, Hotmail, AOL, and all their
> various hosted services such as AT&T ISP mail in the US, as
> well as giant US cable ISP Comcast.
>
>> When the @yahoo.com reject policy had been set up, I checked
>> whether I could send fake @yahoo.com Email to my private
>> German (F)reeMail account and to my own company email
>> account, and both Emails were properly delivered to my
>> Mailboxes.
>
> It's more popular among large providers than small ones.
And maybe that statement covers another part of the issue.
Counting deployment numbers is legitimate, but the IETF has, at
least IMO, tended to avoid protocols that favor large providers
but hurt small ones (whether the "hurt" is technical, driving
costs up, or something else). That may be especially important
in the email case because "small provider" includes not only
small multicustomer ISPs and ESPs, but a large number of
organizational, institutional, and corporate mail systems.
To me, that makes decisions about damage-mitigation work for a
non-essential protocol complicated because one way to eliminate
the damage is to not support the protocol at all, possibly
including stripping its headers whenever they are encountered.
I don't want to try to do the WG's work at charter discussion
time, but I'd like to be sure that the charter and leadership of
the WG aren't set up to preclude a result of "this protocol is
dangerous and problematic, it is Not Recommended, and the IETF
recommendation is to minimize damage by discarding (or otherwise
ignoring) DMARC headers whenever they are encountered". I want
to stress that I'm not recommending that approach, although it
has some charm. I just want to be sure it is at least treated
as a legitimate alternative and that, should someone complain on
IETF Last Call that it wasn't considered seriously and/or that
the reasons for not going in that direction are not adequately
documented, such complaints cannot be dismissed on the basis of
language in the charter.
john