On Fri, Apr 14, 2023 at 9:47 PM Douglas Foster < dougfoster.emailstanda...@gmail.com> wrote:
> These decisions are made in the light of ransomware attacks that have shut > down critical social infrastructure like city governments and hospital > systems. > > The proceeds from Internet-based fraud are funding groups like Boko Haram > that kidnaps girls into sex slavery, boys into child soldiering, and then > uses their weapons to burn Christians inside their churches. > > This is not about money for fat cats, it is about trying to stave off the > darkness. > > Unless a mailing list has controls in place to ensure that EVERY post > comes from the asserted participant, it is the height of hypocrisy to ask > an evaluator to assume that the post is from the asserted participant. > IETF cannot do even the easiest part of that task, so I have no reason to > expect better elsewhere. > > Societies depend on trust. Impersonation in all it's forms undermines > trust. > > > Doug > > > > > On Fri, Apr 14, 2023, 9:17 PM Murray S. Kucherawy <superu...@gmail.com> > wrote: > >> On Fri, Apr 14, 2023 at 12:37 PM Dotzero <dotz...@gmail.com> wrote: >> >>> While the you part of "we" may not see any advantages, quite a few >>> financials, greeting card sites, retailers AND many receivers have seen the >>> advantages, including p=reject. One thing I've learned over the years is >>> that it is presumptuous to speak on behalf of "everyone" when you don't >>> actually have their authorization to speak on their behalf. It's kind of >>> like sending email claiming to be from someone else's domain without their >>> permission. >>> >> >> We need to tread carefully here. Standards are supposed to improve >> things for everyone, not just quite a few financials, greeting card sites, >> retailers AND many receivers. Presented that way, it sounds a lot like >> we're saying these decisions should be biased in favor of those with >> money. I know we don't mean that. >> >> -MSK, participating >> > Seeing the advantage does not mean that it only benefits the ones I listed. I'm aware they see the advantage because people from those types of organizations were involved in the original creation and testing and over the years I've seen the data on abuse reduction. Not just the DMARC numbers but the downstream impacts on abuse. Unfortunately organizations tend not to provide data about its efficacy publicly because it involves providing data about their business. It works. It could have been kept a private club of "big boys" but people involved in the effort believed there was (is) an ecosystem benefit in it being an open standard that anyone could implement. >From start to publication, DMARC took roughly 18 months including testing. The participating organizations spent a lot of resources and money during that period writing code and testing, including various meetings and interop events. I'm not confident it would have happened and especially in that time frame if it were a public effort. Now that also doesn't include the initial time and work it took for the private parties to figure out how to interact with each other. It's smaller organizations and the average person who benefits from that initial effort. If it weren't a published standard, how could they take advantage and be able to participate? It was handed over to IETF because of a belief that IETF would be the best steward in moving it forward. And yes, I fully recognize that there are tradeoffs DMARC involves. If only transactional domains publish p=reject then I'd argue the benefits far outweigh the downsides. The calculus changes with broader implementation for other types of domains, but as others have pointed out, no death penalty is imposed in those circumstances. I've seen people suggest that policy should be gotten rid of but keep reporting. Policy was/is the incentive for receivers to do reporting. It allows sending domains to have visibility into mail flows claiming to be theirs, whether theirs or not, from the receiver's perspective.This presumably enables them to take steps to correct things they perceive to be problematic if they so choose. And yes, that can include publishing quarantine or reject as a policy request. If it weren't for companies like !Yahoo and AOL pulling the trigger on p=reject, we wouldn't be having this conversation. I'm not saying this to blame them, rather I'm just recognizing facts. But we are where we are. Michael Hammer
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
