Hi Dave, On Wed, Apr 09, 2014 at 12:27:55PM -0500, Dave Crocker wrote:
But it's the result of an informed corporate choice rather than software or operations error.
Why do you think (it seems to me you've said it more than once) that this was "informed" choice? If I go to http://dmarc.org/, and read the "who can use?" part, there is no big warning there that domains with a lot of random users from all over who might be posting to mailing lists will have a complicated problem. On the contrary, the only "who" in that section is "everyone". Also, the "why important" part says "DMARC addresses these issues, helping email senders and receivers work together to better secure emails, protecting users and brands from painfully costly abuse." And indeed, if I follow the link for the current specification from http://dmarc.org/, there is rather little discussion of what happens to users. This is as it should be. That's an Internet-Draft of the protocol. It might one day be published as an Independent Submission, partly because those who developed DMARC didn't want to give control to the IETF. I get that, but it's sort of hard to know what it means in terms of corporate "informed choice". There's no applicability statement I can see. So, I'm trying to imagine the presentation slide on which appears the advice to implement the controversial adopted policy. I imagine in big, giant print "Will reduce yahoo.com abuse effects" and in one of those secondary bullets "May have consequences" and even lower "for our users on mailing lists" and "for mailing list managers/non-company". We all know the Tufte observations about PowerPoint; that doesn't make them less true. I can even give the presentation I imagine, and I don't work at the company in question. I think DMARC is mostly useful when used correctly. There is no BCP yet, however, and that's partly because there's as yet no broad experience with DMARC in what we might call "mostly-user domains": there is no "CP" at all. There is quite good experience in the areas where DMARC was intended to be effective. Good. To pretend that there's any experience outside that realm, in my opinion, generalizing inappropriately. I think responsible Internet deployment ought to point that out. I'm sure there will be those who disagree. Best regards, A -- Andrew Sullivan Dyn, Inc. asullivan@dyn.com v: +1 603 663 0448