ietf
[Top] [All Lists]

RE: DMARC and yahoo

2014-04-16 12:03:57
-----Original Message-----
From: Theodore Ts'o [mailto:tytso(_at_)mit(_dot_)edu]
Sent: Wednesday, April 16, 2014 11:51 AM
To: MH Michael Hammer (5304)
Cc: ietf(_at_)ietf(_dot_)org
Subject: Re: DMARC and yahoo

On Wed, Apr 16, 2014 at 02:07:39PM +0000, MH Michael Hammer (5304)
wrote:


Instead of "But had gmail.com..." substitute "When gmail.com does..."

You are asserting that gmail will eventually do what Yahoo has done.


I am asserting that if, as an organization, Google (or any other mailbox 
provider for that matter) perceives that p=reject is working for other 
providers of a similar nature to mitigate abuse then yes, they will, even 
recognizing potential negative consequences in some areas as long as they 
believe that the benefits outweigh the consequences. It may be that no other 
mailbox provider chooses to make such a move.  I'm also saying that mailbox 
providers which validate DMARC have the data to see what the impacts are - both 
on abuse as well as broken mail through mailing lists and other sources. This 
is especially true for large providers that have the resources to do the 
analysis.

I can't speak for my employer, but I suspect there will be a lot of people
(both inside and outside of the company) lobbying to make sure gmail
doesn't do the same insane thing that Yahoo has done.  I have quite a bit of
faith that senior folks like Vint Cerf will take a bit more of a nuanced view
than some of the DMARC cheerleaders have done, and his voice does carry a
fair amount of weight.


As I've said before, my ox isn't gored on the mailing list issue. Each mailbox 
provider will make a calculus as to which way to jump. This calculus will 
change over time for each mailbox provider depending on a number of factors and 
the perceived outcomes for the organization and its customers. Let's assume 
that Google chooses not to follow Yahoo but a number of other large providers 
do. You still have a similar outcome. I'm not presenting this as cheerleading 
for DMARC. I'm presenting this as a real situation and other mailbox providers, 
both large and small, may choose to go this direction. I haven't heard any of 
the denizens of this list present any approach as to how they will deal with 
such a sea change. 

As von Moltke the Elder wrote, "no plan of operations extends with any 
certainty beyond the first contact with the main hostile force".

Setting aside your personal preference as to outcomes, I'd love to hear your 
thoughts on how IETF and/or mailing list operators would deal with such a 
situation (some significant portion of mailbox providers/users migrated to this 
new paradigm) should it occur. 

Cheers,

                                              - Ted

P.S.  One of the reasons why I think mailing list software should pick
mechanisms that inflict pain on yahoo.com customers, and hopefully get
them to switch, is that hopefully other e-mail providers will consider the
costs of using DMARC p=reject for domains where users might need to send
mail to mailing list, and choose differently from Yahoo.

That is certainly a plan but it doesn't work so well if it becomes Yahoo+n. My 
wife and I have discussed this issue and our personal decision is that if our 
alma maters, charitable organizations that we contribute to, etc. undertake 
this tactic to intentionally inflict pain on us if our mailbox provider 
(neither of us happens to use Yahoo) should go this route, we will simply 
choose other places to give our support and donations. This is not a function 
of the DMARC debate itself but is instead a function of an organization biting 
the hand that feeds them to intentionally inflict pain to gain leverage over a 
3rd party. For some organizations, while our donations are not critical, they 
are significant enough to get senior management attention if withheld with an 
explanation of why we have made that choice.


<Prev in Thread] Current Thread [Next in Thread>