[Mailman-Users] Digest option for Yahoo and AOL subscribers?

[Stephen J. Turnbull]

Richard Damon writes:
 > On 5/25/14, 11:30 AM, Mark Rousell wrote:

 > > Whilst Yahoo and AOL are the ones who have chosen to
 > > use/misuse/abuse DMARC in this way, it could also be said that
 > > DMARC (and all its backers on its current form) are to blame
 > > precisely because DMARC *allows* Yahoo's/AOL's behaviour.

The "p=reject" policy option is useful, perhaps necessary, to prevent
phishing at financial institutions.  My bank (Tokyo-Mitsubishi-UFJ) is
in a total panic to the point where they are running a major
television campaign (multiple channels, hitting all the major
demographics) displaying a typical MUA (Outlook, of course) showing a
typical phishing message and putting a big red X over the password
input field.

 > > If the standard has been properly finished and properly thought
 > > through from all angles then ways could surely have been found to
 > > allow it to be used without harming existing, standards-compliant
 > > behaviour.

DMARC's purely informational protocols have been in use successfully
for years, and nobody ever noticed.  Some banks have been using
"p=reject" for quite a long time (more than a year), and nobody ever
noticed.

 > > The consortium behind DMARC simply weren't willing to wait or
 > > play along.

I don't think the evidence supports that belief.  The design of the
protocol has been very careful, with multiple ways to mitigate the
kind of effects we saw in April.  Yahoo! and AOL simply don't care who
gets hurt as long as they can present it to their own users as a
necessary measure to combat spam (and other mail abuse).

 > My understanding is that DMARC WAS going through the standardization
 > process, and actually was to the state where experimental use was
 > justified (and in some sense actually required). The problem that
 > happened is that Yahoo jumped into the limited clinical trial and
 > experimented with millions before we had a chance to find out the side
 > effects of the medicine.

According to one of the editors of the Internet Draft (message to a
closed list), use by ESPs of "p=reject" was never envisioned by the
working group, and he believed (until it actually happened) that
Yahoo!  and AOL knew that because they have active representatives in
the group.  I'm not sure I really believe that, since one of the DMARC
proponents on Mailman channels clearly believes that any problems are
the fault of misconfigured lists, and one of the editors of the DMARC
Internet Draft has a Yahoo! affiliation listed.

 > I suppose that the communities response should have been to just kick
 > off all Yahoo (and later AOL) users from mailing list (as that is really
 > one meaning of the DMARC setting announced), but the community had too
 > much compassion for the "innocent" users

In many cases, there's no "compassion" involved, just a hard-headed
business calculation about whether the list can afford to offend the
paying customers.  In any case, it's pretty clear that

 > a lot of innocent users ... really don't want to go through the
 > hassle of changing email providers, and are more apt to just drop
 > off mailing lists.

which both AOL and Yahoo! would find convenient for their own busienss
models.  (I don't think that's their aim, I just don't think they'll
shed any tears as long as their spin control is successful.)

So I certainly don't recommend it if you don't have substantial and
unshakably legitimate influence over your subscribers.

*I* can and do play hardball, and (as mentioned in a previous post)
the fiasco at yahoo.com triggered a reaction in the Japanese research
and education communities (including an official advisory from the
Ministry of Education, Culture, Science and Technology), so that
students and to some extent faculty and researcher have switched to
GMail en masse -- entirely unnecessary since yahoo.co.jp doesn't seem
to publish a DMARC policy at all!

But my situation is very unusual.

Steve