[Mailman-Developers] Fixing DMARC problems with .invalid munge

Stephen J. Turnbull stephen at xemacs.org
Wed May 7 04:59:12 CEST 2014 

John R Levine writes:

 > My apologies.  My imagination is sadly limited by 20 years of
 > running mailing lists for real people, and extensive conversations
 > with the people who designed and use DMARC.

Experience doesn't limit imagination, it's desperation to solve a
difficult problem in a hurry that does that.  That said, your years of
experience are undoubtedly valuable, as is the information from your
experiments with .INVALID.

I do not say you "should" take a more global view (I said "please",
didn't I?)  I'd like the benefit of your thoughts from that global
point of view, but it's up to you whether you want to go to that
effort.

I'm not trying to criticize you (though I've expressed myself badly --
I'm frustrated with the "damn the torpedos" atmosphere created by
Yahoo! and AOL, that's also coloring a lot of thinking here).  It's
not your responsibility to think globally -- you're an operator with a
problem to address, not responsible for creating a standard or for
maintaining infrastructure that implements that standard.  I support
your experiments with .INVALID, although I believe them to be
technically not conforming to RFC.  "Code is law", but *RFCs aren't*.

What'm trying to do is explain why Mailman should (IMHO) take a quite
different, much more conservative, stance toward implementing this,
and why I criticize DMARC.  The DMARC folks *are* creating a standard,
and Mailman *is* attempting to implement it.  It *is* *our* (and
*their*!) responsibility to think globally, even as we act locally.

BTW, we've had conversations with several of those "designers and
users" here, and they clearly do suffer from the "we have a problem we
need to fix, and we'll deal with the consequences for other people --
which we don't think are a big deal -- later if need be" attitude.
That includes several folks who do know better to do than what the big
portals are doing, so I figure they're REALLY desperate (or at least
the folks at email providers which are abusing p=reject are).

Note that AOL and Yahoo! need to do this because they have ambitions
of being e-commerce platforms, and so their domain names can be used
to scam money out of people.  I don't think their business model
justifies the harm their refusal to conform to RFC does to our
subscribers.

More information about the Mailman-Developers mailing list