[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Yahoo DMARC breakage

Subject: Yahoo DMARC breakage
From: mysidia at gmail.com (Jimmy Hess)
Date: Wed, 9 Apr 2014 23:54:00 -0500
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]>

On Wed, Apr 9, 2014 at 8:04 PM, Miles Fidelman
<mfidelman at meetinghouse.net>wrote:
On 4/9/2014 7:25 PM, Miles Fidelman wrote:

> Yahoo! is choosing to apply the technology for usage scenarios that have
>> long been known to be problematic.  Again, they've made an
>
> In fact... it is too generous to say "known to be problematic".

Basic functionality is seriously and utterly broken ---  that DMARC doesn't
have a good answer for such situations, is a major indicator of its
immaturity,  in the sense that it is "Too specific" a solution and cannot
apply to e-mail in general.

If it were mature: a mechanism would be provided that would allow mailing
lists to function  without breaking changes such as substituting From:.

An example of a solution  would be the use of a DKIM alternative  with not
a single signature for the entire message,  but only partial signing   of
 parts of the message: specifically identified headers  and/or specific
body elements,   to validate  that the message was really sent and certain
elements are genuine ----  and certain elements were modified by the
mailing list.

> informed choice.  Whether it's justified and whether it was the right
>> choice is more of a political or management discussion than a technical one.
>>
>
The technical issue,  is that the immaturity of the related specs.   limits
  the decisions are available  for a particular domain ----  so,
essentially,  if you have certain kind of user traffic: you have to  incur
technical issues with mailing lists,  or forego using DMARC.

In other words:  much as you would like to dismiss as purely a managerial
decision  ----    the decisions available to be made are entangled with
 the limitations of the  technical options that are available  for
mitigating spoofing,

AND the public's understanding thereof.

>
>> In technical terms, DMARC is reasonably simple and reasonably well
>> understood and extensively deployed.
>>
>
I would say reasonably simple.
Only well-understood by a very limited fraction of the population of mail
operators.
Not widely deployed;  particularly on domains serving end user mailboxes.

>
>> For most discussions, that qualifies as 'mature'...
>>
>>
> Especially after reading some of the discussions on the DMARC mailing list
> where it's clear that issues of breaking mailing lists were explicitly
> ignored and dismissed.

+1.

Common use case ignored and dismissed, is a pretty convincing indicator of
a lack of maturity with regads to the spec.

>  Miles Fidelman
>
>
>
> --
> In theory, there is no difference between theory and practice.
> In practice, there is.   .... Yogi Berra
>
>
>

-- 
-Mysid

Follow-Ups:
- Yahoo DMARC breakage
  - From: oscar.vives at gmail.com (Tei)
- Yahoo DMARC breakage
  - From: dhc2 at dcrocker.net (Dave Crocker)
- Yahoo DMARC breakage
  - From: mike at mtcc.com (Michael Thomas)

References:
- Yahoo DMARC breakage
  - From: johnl at iecc.com (John Levine)
- Yahoo DMARC breakage
  - From: dhc2 at dcrocker.net (Dave Crocker)
- Yahoo DMARC breakage
  - From: mfidelman at meetinghouse.net (Miles Fidelman)
- Yahoo DMARC breakage
  - From: dhc2 at dcrocker.net (Dave Crocker)
- Yahoo DMARC breakage
  - From: mfidelman at meetinghouse.net (Miles Fidelman)

Prev by Date: Yahoo DMARC breakage
Next by Date: BGPMON Alert Questions
Previous by thread: Yahoo DMARC breakage
Next by thread: Yahoo DMARC breakage
Index(es):
- Date
- Thread