AD Review - Failure of Working Group to Fully Address Indirect Mail Flows, per Charter

[toddherr]

DMARCbis, rev -34 contains the following text:

• In Section 2.4, Out of Scope, is a bulleted list of items deemed out of scope for this work, and one of these items is "Reporting or otherwise evaluating other than the last-hop IP address"
• The last paragraph of Section 7.5, "Interoperability Considerations", reads:

As a final note, one possible mitigation to the problems caused by Domain Owners publishing a Domain Owner Assessment Policy of "p=reject" when they should not or Mail Receivers rejecting messages solely on the basis of a "p=reject" policy is the Authenticated Received Chain (ARC) protocol described in [@RFC8617]. However, as of this writing, use of ARC is nascent, as is industry experience with it in connection with DMARC.

Taken together, these seem to indicate a failure on the part of the working group to fully address issues with indirect mail flows, a task that was the first item on the list of activities in the charter for the working group.

This ticket asks the working group to come up with text discussing two topics:

1. First, some discussion of the reasons for the working group advancing to Standards Track a document that has serious interoperability concerns, e.g., "This is being done with intention, because reasons..."
2. Second, a discussion of the plan, if any, for future work to address remaining interoperability issues. For example, might there be a DMARCter that folds ARC into DMARC? If no, then what?

[alevesely]

I drafted a possible protocol to put ARC in use. That could be the kind of discussion for point 2 (if a receiver wanted to implement it). However, Murray's statement on Octobe 6th, My term as Area Director will end around the middle of the March 2025 meeting in Bangkok, and this is your notice that I will close this WG before then doesn't concede enough time for a similar discussion to reach a valid conclusion, methinks.

[jrlevine]

ARC isn't going to get any more popular than it is now, due to a combination of inertia and the need to know which ARC signers you trust. There's a new version of DKIM that will be discussed at the Dublin IETF that is likely to deal a lot better with mailing list issues. It won't affect DMARC other than that it will treat a new DKIM signature the same as an existing one.

[alevesely]

Uh, what's that? How come there's no notice about it? (Google only finds MS instruction on how to add a 2nd record called DKIM2... )

[jimfenton]

@alevesely A DKIM2 motivation draft was just posted today: https://datatracker.ietf.org/doc/draft-gondwana-dkim2-motivation/

[jrlevine]

If you follow the link I posted above, you'll find the side meeting on Monday. If there's time we also might be in ALLDISPATCH.

In any event, I think it is fair to say that we have spent a great deal of time trying to figure out ways to make DMARC coexist with indirect mail flows, and telling us to nerd harder isn't going to make DMARC any better. So we're going to try again a level down in DKIM.

[alevesely]

I won't be in Dublin

DKIM2 looks overly ambitious, in particular the "algebra" describing changes (presumably derived from Wei's drafted algorithm). It will take an inordinate amount before a significant number of mailing lists comply.

In comparison, managing forwarding recipes looks much easier...