ietf
[Top] [All Lists]

Re: DMARC and ietf.org

2016-08-13 10:11:14
The real problem is that in the absence of standardization, when the
folks who implemented DMARC went ahead without doing something that
didn't break all use cases, there's no consensus on what is the "good
enough" solution.

DMARC was fine when it was used to protect high value company domains like paypal.com. It became much less fine when AOL and Yahoo started using it to force the costs of their own security failures on third parties.

ARC is supposed to be the magic bullet that will fix all of this, but
this assumes someone is going to create ARC implementations for all of
the common mailing list server implementations, and it's not obvious
that this is going to be happening, either.

The Mailman people are certainly working on it, and I plan to work on Sympa. What list software are you thinking of?

More to the point, ARC lets lists keep working they way they're supposed to. All of the workarounds break stuff. The most popular workaround, putting the list address on the From: line, makes it hard to tell who the message is from, close to impossible to reply to the author of the message*, and trains people to be phished.

But it's a lot easier to blame the people who made the change which broke things.....

Well, yes, they certainly deserve it.

Regards,
John Levine, johnl(_at_)taugh(_dot_)com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.

* - anyone who says "you can put it in the Reply-To" has just shown that they don't understand the problem.

<Prev in Thread] Current Thread [Next in Thread>