--On Thursday, September 11, 2014 10:30 -0700 Doug Barton <dougb@xxxxxxxxxxxxx> wrote: > John Klensin, > > If you don't like that solution, what solution do you propose > to deal with the large (by volume) installed base of DMARC > domains relative to mailing list traffic? It's fine and good > to talk about theory, more power to ya. :) But as Brian > pointed out the volume of list traffic that is being shunted > to spam folders, or outright rejected, is only increasing. > Continuing to complain about DMARC, or the way it's being > used, is wasted electrons. > > I proposed creating a draft for a standardized way of encoding > the original from address to the left of the @ sign so that > the mailing list sender could create a valid DKIM record, but > clients could be taught to decode the original From:. You and > others pooh-pooh'ed that suggestion, but I haven't seen a > better one yet. I don't recall "pooh-pooh"-ing anything, but as many people here are aware, I've got a deep aversion, based on extensive experience, to tampering with headers in transit. From that point of view, a fancy encoding of the local part is not significantly different from the "rewrite to point to the mail exploder" technique John Levine mentioned. As to a solution, I believe that a key reason the Internet has gotten this far -- both technically and in terms of convincing regulators and the like to let us rely on "multistakeholder" solutions rather than extensive formal regulation -- depends on organizations with market power (by volume) exercising good judgment and moderation when it is discovered that their actions hurt others or force others to incur significant expense. I sincerely hope that the newly-created WG will move expeditiously to modify DMARC so that it stops causing these problems and that the major (by volume) organizations who have deployed DMARC will then rapidly make adopt those changes. From that perspective, "we deployed this neat thing, if it hurts you and your perfectly standards-conforming application, suck it up" just doesn't work for me regardless of what the parties with those other applications might apply as remedies. I hope I'm not getting too hysterical about this but, if DMARC "works" in the sense that the organizations who created it can effectively force everyone else to adapt or find themselves at a severe disadvantage, what is to prevent the same actors from collaborating on new core email protocols (replacing SMTP and the header specs). We probably all agree that those specs are showing their age and that we would do things differently if we started over today and didn't need to worry about the installed base. We probably don't agree on what changes should be made and the IETF has traditionally been quite careful about that installed base. But suppose some consortium of large actors came along and said "we have designed a new set of mail protocols that will provide our users a better experience" (or, to be cynical, provide us with better advertising opportunities) "and good luck to you in designing gateways". Would we accept that in the same way that you and others seem to be urging ways to accommodate to DMARC? I fear for the notion of an open Internet if the answer is "yes", but probably see less difference between that case and the DMARC one than you and others may. Maybe things just look better from my applications perspective looking down the stack, but my impression is that most of the major corporate actors in, e.g., routing, the network layer, and operations are still behaving more or less consistently with that historical cooperative model. But some of the active forces in the applications layer, seemingly especially where email is concerned, seem to have lost sight of it or concluded that is is not in their interest to do so. I find that pretty troubling. Now, perhaps my view is outdated and naive and our present reality is that any convenient 300 pound gorilla (or a consortium of them) can (and will) do whatever they like and expect others to conform. If that is so, I question the long-term future of the IETF and voluntary, individual-participation, standardization efforts, both because market power becomes a more economical and effective substitute for open standards and because this is exactly the sort of thing that causes other actors to decide that external adult supervision is needed (with them picking the "adults"). best, john