[dmarc-discuss] MLM and Header-From rewritting - the SMTPopen-relay analogy

Dave Crocker dhc at dcrocker.net
Sat Jun 7 22:13:54 PDT 2014

On 6/8/2014 1:26 AM, Al Iverson via dmarc-discuss wrote:
> On Sat, Jun 7, 2014 at 12:44 PM, Dave Crocker via dmarc-discuss

>> Keeping in mind that the mailing list scenario has always been
>> legitimate use,
> SMTP relay was a legitimate use case (or at least was very loudly
> claimed to be by those angry about relay blocking).

Sorry, no.  Use by unauthorized users is not a legitimate use case.

Again, closing relays carried an entirely adequate alternative via port
587 for authorized users.  No such equivalence is available when DMARC
breaks mailing list use.

>> the concern is that we may be left with a long-term
>> barrier to that use, with no attendant long-term benefit.
> I think there's a good chance that the barrier melts away in the long
> term. Specifically, the mailing list usage barrier. Mailman, Yahoo
> Groups, Google Groups, and various commercial providers have already
> implemented changes to that end. I feel like a lot of the barrier has
> melted away already.

You seem to be confusing "work-around" with "equivalent function".  What
we have is increasing use of work-arounds that defeat DMARC and train
the community to accept mail the employs the work-around.  As such it
eliminates long-term benefits of DMARC.

The problems with the work-arounds resolve to:  Mail 'from' a mailing
list now formally has a different author than it used to.  All mail is
from a single 'author'.  This significantly alters the way mailing list
mail, versus 'direct' mail,  is processed by MUAs and seen by users.

>> The fact that there is short-term benefit is not the issue; it is that
>> the benefit might not sustain.
> If I can keep my domain out of the from address of bad mail forever,
> that's a long term benefit to me. How does that not sustain?

An assertion like that focuses on a syntactic point, rather than a
semantic one.

I'll bet you don't actually care about the From address content, on its
own, but that you really care about receivers thinking that mail is from
you when it isn't.  I know I do.  That's the real and higher-level concern.

And that's the goal that isn't being served here, in terms of long-term
benefit, given the effect of the work-arounds.

> The issue of lookalike domains was mentioned. This is an extant
> badness vector. It gets addressed through multiple means, as it has
> previously. It pops up, it gets a bad reputation, it gets blocked.
> Domain rep, IP rep, content rep, can and will all still apply.

When used in the narrow scenario of mail that is legitimately subjected
to tight content and operations controls, DMARC works quite well.

There are many ways to defeat DMARC's efficacy, when the mechanism is
used more broadly.  The aggregate effect is to marginalize the actual
benefits of the mechanism.

> To that end, I think anybody who's going to say "there's no long term
> benefit" really should only say that when including a more detailed
> statement of "why" that would be, because honestly, obviously, DMARC
> proponents don't necessarily start from that point of view and I'm
> sure I'm not the only one who would need more information to better
> understand the concerns.

You believe that there haven't been explanations for the 'why' provided???


Dave Crocker
Brandenburg InternetWorking

More information about the dmarc-discuss mailing list