ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: DMARC and yahoo

2014-04-15 20:46:10
from [Douglas Otis] [Permanent Link] 

On Apr 15, 2014, at 5:34 PM, Doug Royer <douglasroyer(_at_)gmail(_dot_)com> 
wrote:


Yahoo does not seem to require DMARK. Simply use one of the other two 
options. I use SPF for my domains, and it makes it through their systems just 
fine.


Dear Doug,

There's confusion about DMARC policy.  Policy is based on the domain in the 
From header field as indicated at _dmarc.<email-domain>.  If the From header 
contains "somebody(_at_)yahoo(_dot_)com", then policy located at:

_dmarc.yahoo.com. IN TXT "v=DMARC1\; p=reject\; sp=none\; pct=100\; 
rua=mailto:dmarc-yahoo-rua(_at_)yahoo-inc(_dot_)com, 
mailto:dmarc_y_rua(_at_)yahoo(_dot_)com\;"
means any validation not aligned with yahoo.com is to be rejected.


It looks to me that some want to be able to send list email to many from a 
bogus email address (some-domain.invalid). Simply stop doing that.


No. Having emailing lists change ]From headers to 
"somebody(_at_)yahoo(_dot_)com.invalid" sidesteps onerous _dmarc. policy (which 
prevents mailing-list use).

It seems 5 organizations outweigh 30,000 smaller groups.  There are scalable 
solutions such as ATP.  DMARC, on its own, requires all services to be under 
their domain.


One of the responsibilities of being a list maintainer is cleaning up all of 
bounced mess from no longer valid email addresses. I have advocated in the 
past for a email header that allows a bounced message to be automatically 
routed for the correct reason back to the list maintainer for processing by 
automated processes. Maybe it is time to revisit that proposal.

I used to get thousands of spams from forged email. I get almost none now. If 
I got thousands, Yahoo must get millions. I applaud them for their courage to 
take a stand.


What you describe reflects most mailing lists that are generally better managed 
than the general corpus of messages directly from yahoo.com itself.  This is 
also why I wrote the ATP protocol.  ATP offers sending domains a means to 
select an ATP label hashes of domains they or the community considers 
well-managed third-party services.  Such exceptions will not invite abuse.

Regards,
Douglas Otis
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: DMARC and yahoo, Doug Royer
Next by Date:  Re: DMARC and yahoo, Theodore Ts'o
Previous by Thread:  RE: DMARC and yahoo, l.wood
Next by Thread:  Re: What I've been wondering about the DMARC problem, Sabahattin Gucukoglu
Indexes:  [Date] [Thread] [Top] [All Lists]