Yahoo DMARC breakage

Andrew Sullivan asullivan at
Thu Apr 10 03:00:57 UTC 2014

Hi Dave,

On Wed, Apr 09, 2014 at 12:27:55PM -0500, Dave Crocker wrote:

> But it's the result of an informed
> corporate choice rather than software or operations error.

Why do you think (it seems to me you've said it more than once) that
this was "informed" choice?  If I go to, and read
the "who can use?" part, there is no big warning there that domains
with a lot of random users from all over who might be posting to
mailing lists will have a complicated problem.  On the contrary, the
only "who" in that section is "everyone".  Also, the "why important"
part says "DMARC addresses these issues, helping email senders and
receivers work together to better secure emails, protecting users and
brands from painfully costly abuse."

And indeed, if I follow the link for the current specification from, there is rather little discussion of what happens
to users.  This is as it should be.  That's an Internet-Draft of the
protocol.  It might one day be published as an Independent Submission,
partly because those who developed DMARC didn't want to give control
to the IETF.  I get that, but it's sort of hard to know what it means
in terms of corporate "informed choice".  There's no applicability
statement I can see.

So, I'm trying to imagine the presentation slide on which appears the
advice to implement the controversial adopted policy.  I imagine in
big, giant print "Will reduce abuse effects" and in one of
those secondary bullets "May have consequences" and even lower "for
our users on mailing lists" and "for mailing list
managers/non-company".  We all know the Tufte observations about
PowerPoint; that doesn't make them less true.  I can even give the
presentation I imagine, and I don't work at the company in question.

I think DMARC is mostly useful when used correctly.  There is no BCP
yet, however, and that's partly because there's as yet no broad
experience with DMARC in what we might call "mostly-user domains":
there is no "CP" at all.  There is quite good experience in the areas
where DMARC was intended to be effective.  Good.  To pretend that
there's any experience outside that realm, in my opinion, generalizing
inappropriately.  I think responsible Internet deployment ought to
point that out.  I'm sure there will be those who disagree.

Best regards,


Andrew Sullivan
Dyn, Inc.
asullivan at
v: +1 603 663 0448

More information about the NANOG mailing list