Re: Yahoo DMARC breakage

[Michael Thomas <mike () mtcc com>]

On 04/09/2014 09:54 PM, Jimmy Hess wrote:
> Basic functionality is seriously and utterly broken ---  that DMARC doesn't
> have a good answer for such situations, is a major indicator of its
> immaturity,  in the sense that it is "Too specific" a solution and cannot
> apply to e-mail in general.

DMARC is nothing more than warmed over ADSP which itself didn't have
a pat answer for mailing list traversal. For transactional mail ADSP was
just fine, but for regular mail the signing policy was meant to be a 
guide for
other heuristics. It says nothing more than "i sign my mail outgoing", so
what do you do if the signature is broken? If you want to take a hard line,
then you are going to get all kinds of false positives... this has been 
known
for 10 years at least. I'd be surprised to hear that Y! of all people 
was doing
that, but it's their pissed off users' problem. Vote with your feet.

> If it were mature: a mechanism would be provided that would allow mailing
> lists to function  without breaking changes such as substituting From:.
>
> An example of a solution  would be the use of a DKIM alternative  with not
> a single signature for the entire message,  but only partial signing   of
>   parts of the message: specifically identified headers  and/or specific
> body elements,   to validate  that the message was really sent and certain
> elements are genuine ----  and certain elements were modified by the
> mailing list.

You can more or less do this with DKIM already, and get about 90%
of mailing list traffic to pass verification. The question is whether that's
enough. I have no idea whether Y! is doing the things I did to get that
pass rate.

> The technical issue,  is that the immaturity of the related specs.   limits
>    the decisions are available  for a particular domain ----  so,
> essentially,  if you have certain kind of user traffic: you have to  incur
> technical issues with mailing lists,  or forego using DMARC.
>
> In other words:  much as you would like to dismiss as purely a managerial
> decision  ----    the decisions available to be made are entangled with
>   the limitations of the  technical options that are available  for
> mitigating spoofing,
>
> AND the public's understanding thereof.

Crocker may have some further insight that we're not privy to, but using
signing policy on the general population as a raw instrument is well known
to be a bad idea for DKIM and SPF's policy mechanisms as well. SPF in 
particular
had a huge amount of blowback by punitive mail operators who didn't 
understand
the implications, at least in the early days. It may indeed be 
management idiocy,
but I can't see what the point is in defending the idiocy as being some 
sort of
sacred right.

Mike