Alexey,
This may be the best that can be done given the degree to which
DMARC is an attack on the mail system (those who don't
understand that assertion should see the appendix below) but I
think we should all be concerned about the trend it seems to
represent. Again, that is not a suggestion that we not do this
(and wouldn't be one even if the decision had not yet been
made), just a plea that we be very aware of, and document, the
tradeoffs that are being made.
That said, I'm uncomfortable with using "=40" as a convention in
the middle of an address. First, there is nothing that supports
the idea of encoded octets in the middle of local parts and, as
you know, there is ample precedent for interpreting an equal
sign in a local part as an indication of a name-value setup. We
haven't seen SMTPUTF8 addresses on the IETF list yet, but I
think there is a strong case to be made that, if we are going to
start encoding things, we should be encoding Unicode code points
(e.g.,
"alexey\u'0040'example.com@xxxxxxxxxxxxxx" or
"alexey?utf8"?40?example.com@xxxxxxxxxxxxxx"
) rather than inventing yet another new system. I don't think
that is a good idea, in part because I encountered an example in
the last 24 hours that tries to use encoded words to deal with a
non-ASCII local part (something the EAI WG considered and
rejected and that, if performed in transit, is non-conformant
with the SMTPUTF8 specs). Any encoding trick like the above (or
like just using "=40") is going to encourage that sort of
"innovation".
With the understanding that I'm holding my nose while saying
this (because I have been happy to see the convention fade from
use), we already have a widely-supported and recognized
convention for this type of encoding and I wonder why those who
have been involved with this effort rejected it. That would be
to use
alexey%example.com@xxxxxxxxxxxxxx
just a thought.
best,
john
-------
Appendix:
I've said this before but, to the degree to which the spam and
other attacks which DMARC is intended to mitigate force us to
change the mail system in ways that make it less functional, we
are essentially admitting that the bad guys have won. This is
certainly not the only case and may not be the most important
one. For example, the mail system was designed on the
assumption that delivery would be reasonably reliable, that
non-delivery would be indicated by NDNs ("bounce messages"), and
therefore that delivery or read acknowledgments would typically
be unnecessary (important because they pose privacy problems).
However, because of concern about blowback attacks, fewer and
fewer sites are generating bounce messages, at least to
unauthenticated senders.
Rules against tampering with or even inspecting message content
in transit have also eroded due to the need to do malware
filtering. That is probably also the least-bad solution
possible but takes us down a path similar to the switch from
HTTP to HTTPS-based web connections: enterprises with concerns
about attacks hidden behind the encryption have huge incentives,
even a sense of necessity, to fake termination points and keys
to allow content inspection at firewalls or the equivalent.
In each case, the bad guys may get frustrated in their immediate
goals but the long-term effect is a narrowing of the
functionality and reliability of the Internet.
--On Friday, May 11, 2018 13:00 +0100 Alexey Melnikov
<aamelnikov@xxxxxxxxxxx> wrote:
> Hi,
> Many of you have seen several long discussions thread about
> DMARC and how it affects use of IETF/IRTF mailing lists.
>
> After testing DMARC workaround code written by Henrik
> Levkowetz on several high volume IETF and IRTF mailing lists
> (e.g. CFRG, WebRTC, DMARC, QUIC), the tools team and the IESG
> decided that Henrik's code should be deployed for all IETF and
> IRTF mailing lists. In particular the workaround allows people
> from DMARC p=reject domains to participate in IETF mailing
> lists, as well as to avoid the problem of recipients being
> unsubscribed from mailing lists. These 2 issues were the main
> reasons for developing the DMARC workaround code..
>
> The workaround will be deployed today, May 11th.
>
>
> Below are some technical details on how the email address
> rewriting workaround is going to work:
>
> Emails from domains that don't have a p=reject DMARC setting
> are not going to be affected in any way.
>
> For emails from p=reject domains:
>
> - The From header field of such emails will be rewritten to be
> under @dmarc.ietf.org domain (which will have a p=none
> policy). For example, "alexey@xxxxxxxxxxx" email address would
> become "alexey=40example.com@xxxxxxxxxxxxxx". The original
> From header field will be preserved in the X-Original-From
> header field, which can be used for automatic message
> processing by Sieve and Mail User Agents.
>
> Note that the mapping is reversible, so it is possible to send
> replies or new messages to an original sender by sending them
> to the corresponding mapped @dmarc.ietf.org email address.
