On Wed, Apr 9, 2014 at 8:04 PM, Miles Fidelman <mfidelman@meetinghouse.net>wrote: On 4/9/2014 7:25 PM, Miles Fidelman wrote:
Yahoo! is choosing to apply the technology for usage scenarios that have
long been known to be problematic. Again, they've made an
In fact... it is too generous to say "known to be problematic".
Basic functionality is seriously and utterly broken --- that DMARC doesn't have a good answer for such situations, is a major indicator of its immaturity, in the sense that it is "Too specific" a solution and cannot apply to e-mail in general. If it were mature: a mechanism would be provided that would allow mailing lists to function without breaking changes such as substituting From:. An example of a solution would be the use of a DKIM alternative with not a single signature for the entire message, but only partial signing of parts of the message: specifically identified headers and/or specific body elements, to validate that the message was really sent and certain elements are genuine ---- and certain elements were modified by the mailing list.
informed choice. Whether it's justified and whether it was the right
choice is more of a political or management discussion than a technical one.
The technical issue, is that the immaturity of the related specs. limits the decisions are available for a particular domain ---- so, essentially, if you have certain kind of user traffic: you have to incur technical issues with mailing lists, or forego using DMARC. In other words: much as you would like to dismiss as purely a managerial decision ---- the decisions available to be made are entangled with the limitations of the technical options that are available for mitigating spoofing, AND the public's understanding thereof.
In technical terms, DMARC is reasonably simple and reasonably well understood and extensively deployed.
I would say reasonably simple. Only well-understood by a very limited fraction of the population of mail operators. Not widely deployed; particularly on domains serving end user mailboxes.
For most discussions, that qualifies as 'mature'...
Especially after reading some of the discussions on the DMARC mailing list where it's clear that issues of breaking mailing lists were explicitly ignored and dismissed.
+1. Common use case ignored and dismissed, is a pretty convincing indicator of a lack of maturity with regads to the spec.
Miles Fidelman
-- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
-- -Mysid