In fact an argument can be made that in terms of responsible mail handling,
DMARC is actually an improvement over ADSP. In particular, ADSP provides policy
choices of "unknown", "all", and "discardable", wheras DMARC provides "none",
"quarantine", and "reject". Honoring a "discardable" policy causes mail to be
lost, whereas at least "reject" provides an indication that something went
wrong.
Discardable was supposed to be a feature, to avoid backscatter, and on
the theory that if the mail is that awful, the sooner it goes away the
better. Given the current DMARC fiasco, I'd say it was not a bad
choice. I pointed out at the time that "discardable" did not mean
your mail was important, on the contrary it meant that your mail was
unusually unimportant, since you were telling people to throw it away
if there were any doubt about it.
The fact that ADSP was developed in tandem with DKIM also means that the IETF
cannot reasonably claim that attaching these sorts of semantics to From: fields
was in any way unexpected. As such, there was at least a responsibility to
document likely interoperability problems use of DKIM in this way would cause.
Well, I tried. I shoehorned my way into the ADSP draft because I
anticipated almost exactly the problems with ADSP that we're seeing
with DMARC. The other authors didn't disagree, but did say that they
wanted each domain to be able to publish its own policy. I thought
that was a lousy idea, because I saw no reason to expect that domain
owners would publish reasonable policies, but instead would tend to
publish overly strict policies in the mistaken belief they were "more
secure". I turned out to be right, since around the time that ADSP
was published, some subscriber to IETF lists published a discardable
policy, which was wrong, and someone else overimplemented ADSP with
rejections rather than discards, which was really wrong, and the
latter group promptly bounced themselves off the IETF list.
What I said at the time was that rather than ADSP, you wanted credible
third parties publishing lists of domains for which strict ADSP-like
behavior was appropriate. That's exactly what happened--look inside
spamassassin and you'll find a module nominally about ADSP, but with
the real ADSP checks turned off by default and a short list of fake
ADSP entries for the usual suspects, ebay, paypal, etc.
The only thing I got wrong was that I expected the damage to come from
large numbers of small clueless operators publishing strict policies,
like a flock of tiny gorillas beating their wee chests and shouting
"Fear us, O Internet!" in high squeaky voices. It never occurred to
me that two of the largest and most sophisticated mail operators in
the world would do such a thing.
R's,
John