<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Speaking of DMARC, and because I do run mail for rather a lot of millions of people in my day job, you might find that at this point, most providers who run large mailing list services, such as yahoo and google groups, and most large receiver ISPs that implement DMARC, have implemented a set of workarounds so that the already tiny minority of users affected is now infinitesimal (and yes, in hard numbers, still significant appearing, until you compare that number to yahoo's actual userbase)</div><div><br></div><div>Forwarding mailboxes are still a small fraction of all mail, with the bulk of it originating from some known large places (university alumni mailhosts, IEEE, some email providers that still offer forwarding ..).  Mailing lists that don't rewrite the return path appropriately are a still smaller number of all mail, gradually getting even smaller.</div><div><br></div><div>Meanwhile the amount of forged spam it has been stopping has been interestingly high, especially on an old and extremely heavily forged domain like yahoo. So this is kind of like a vote  in which the massively vast majority of yahoo's users that are benefited from this change (and yes, in my judgement this aggressive policy does have a benefit given the amount of forged <a href="http://yahoo.com">yahoo.com</a> spam I see) trump the minority that is affected by this - a rapidly reducing minority I might add.</div><div><br></div><div>Depending on your mail setup I would recommend - and these are best practices for other reasons too, not just dealing with yahoo and aol's p=reject DMARC implementation! one of these - <a href="http://dmarc.org/faq.html#s_3">http://dmarc.org/faq.html#s_3</a></div><div><br></div><div>Also if you operate a mailing list and haven't turned on VERP yet, now would be a great time <a href="http://www.exim.org/howto/mailman21.html">http://www.exim.org/howto/mailman21.html</a><br><br>--srs (iPad)</div><div><br>On 07-Jul-2014, at 0:15, Seth Johnson <<a href="mailto:seth.p.johnson@gmail.com">seth.p.johnson@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div><span>On Sun, Jul 6, 2014 at 12:26 PM, parminder <<a href="mailto:parminder@itforchange.net">parminder@itforchange.net</a>> wrote:</span><br><blockquote type="cite"><span><a href="http://www.theguardian.com/technology/2014/jul/06/we-shouldnt-expect-facebook-to-behave-ethically?CMP=fb_gu">http://www.theguardian.com/technology/2014/jul/06/we-shouldnt-expect-facebook-to-behave-ethically?CMP=fb_gu</a></span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>"Besides, the idea that corporations might behave ethically is as absurd as</span><br></blockquote><blockquote type="cite"><span>the proposition that cats should respect the rights of small mammals. Cats</span><br></blockquote><blockquote type="cite"><span>do what cats do: kill other creatures. Corporations do what corporations do:</span><br></blockquote><blockquote type="cite"><span>maximise revenues and shareholder value and stay within the law. Facebook</span><br></blockquote><blockquote type="cite"><span>may be on the extreme end of corporate sociopathy, but really it's just the</span><br></blockquote><blockquote type="cite"><span>exception that proves the rule."</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>(quote ends)</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>Well, if I had said these sentences, there would have been an immediate</span><br></blockquote><blockquote type="cite"><span>multistakeholder (MS) condemnation, for not conforming to the</span><br></blockquote><blockquote type="cite"><span>multi-stakeholder spirit!</span><br></blockquote><span></span><br><span></span><br><span>I posted the following comments on another list a little while back to</span><br><span>describe the problems of even applying multistakeholderism in the</span><br><span>international arena:</span><br><span></span><br><span></span><br><span>Brian Carpenter posed the question pasted below on the ietf discussion</span><br><span>list.  My (verbose) comments on the thread may help get a handle on</span><br><span>the limits of multistakeholderism in the international context, which</span><br><span>requires understanding democracy not in terms of the regular</span><br><span>representational and/or participatory aspects, but key elements of the</span><br><span>foundation that makes it work.  It addresses the present DMARC</span><br><span>imbroglio triggered by Yahoo and a few other industry cohorts.  Read</span><br><span>through the thread for the fuller explanation.</span><br><span></span><br><span></span><br><span>Seth</span><br><span></span><br><span></span><br><span>On Tuesday, April 15, 2014, Brian E Carpenter wrote:</span><br><span></span><br><span>    I thought that standard operating procedure in the IT industry</span><br><span>    was: if you roll something out and it causes serious breakage to</span><br><span>    some of your users, you roll it back as soon as possible.</span><br><span></span><br><span>    Why hasn't Yahoo rolled back its 'reject' policy by now?</span><br><span></span><br><span>    Regards</span><br><span>       Brian</span><br><span></span><br><span></span><br><span>---------- Forwarded message ----------</span><br><span>From: Seth Johnson <<a href="mailto:seth.p.johnson@gmail.com">seth.p.johnson@gmail.com</a>></span><br><span>Date: Tue, Apr 15, 2014 at 7:36 AM</span><br><span>Subject: Re: What I've been wondering about the DMARC problem</span><br><span>To: Miles Fidelman <<a href="mailto:mfidelman@meetinghouse.net">mfidelman@meetinghouse.net</a>></span><br><span>Cc: IETF Discussion <<a href="mailto:ietf@ietf.org">ietf@ietf.org</a>></span><br><span></span><br><span></span><br><span>Jimmy Wales is, perhaps partially unconsciously, referencing this with</span><br><span>his point on a "culture of free expression."</span><br><span></span><br><span>Note: I am not implying in making these observations that stewardship</span><br><span>should be by any particular country, or any number less than the</span><br><span>totality for that matter -- only that we rely on systems that we have</span><br><span>claimed for the people to create such a context, and the international</span><br><span>arena (and the various systems so far presented for "checks and</span><br><span>balances" or even simply handoff to privatized systems to</span><br><span>multistakeholder-ish processes that must not be government-led or</span><br><span>inter-governmental) does not presently support that.</span><br><span></span><br><span></span><br><span>Seth</span><br><span></span><br><span></span><br><span>On Tue, Apr 15, 2014 at 1:29 AM, Seth Johnson <<a href="mailto:seth.p.johnson@gmail.com">seth.p.johnson@gmail.com</a>> wrote:</span><br><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>(one insert/correction inline)</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>On Tue, Apr 15, 2014 at 1:20 AM, Seth Johnson <<a href="mailto:seth.p.johnson@gmail.com">seth.p.johnson@gmail.com</a>> wrote:</span><br></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>The framework internationally is different.  Within free countries, there's a culture of expectations that certain things will be unacceptable, or will be resisted by self-respecting citizens.  That culture is based in a system that guards fundamental liberties, and people are able to rely on it to do so, though for private firms the limits aren't so definitive as they are for the government.</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>Internationally, the limits are no longer so definitive, and that's because even though governments will sign onto instruments like the UDHR, those rights are not actually fundamental, even if we call them that.  Fundamental rights have an undeniable priority within countries where they have been claimed in the founding act.  On that foundation, judges are always obliged to assess fundamental rights in light of the unarguable fact that their priority over the government was part of the original creation of the whole system.  There's no founding act in the international arena that sets the priority of people over the governments of the world, so rights are actually at the indulgence of governments, and governments can always assert their state interests are so important that they warrant impinging on fundamental liberties.</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>We just saw an example of this with the Snowden disclosures.  We've been through a long period where we couldn't get our government to actually do much for us, or conversely to not invade our liberties -- because the claims that the government was snooping pervasively were kept marginal in various ways.</span><br></blockquote></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span><fixed></span><br></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>But once documentation moved those considerations out of the frame of "conspiracy" or zealotry by activist organizations, we suddenly began seeing the appeals work again: "that's not the kind of country we are, what we set up for ourselves," we started saying again.</span><br></blockquote></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span></fixed></span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>(eom)</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>And while it's still in a bit of denial, we are seeing a gradual grudging retracting -- again, because the basis in fundamental liberties is unarguably related to how we set the government up in the founding act(s).</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>This is for governments and the more definitive relationship between fundamental liberties and the government; that is, that they are limits on the government.  The judicial system treats fundamental rights violations by the government in terms of "strict scrutiny," which means a governmental act that impinges on fundamental liberties must serve a compelling state interest, and even then, must be narrowly tailored.  For private parties, it's more that the working system creates a culture of people who enjoy this ability to live in a system where these limits on the government are actually at play -- and that's a context that more easily supports attitudes of resistance and pushback from people who see their dignity invaded by private firms that do excessive things.</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>None of this exists internationally.  The best you can place some faint hope in is that national/state interests will be "balanced" against rights expressed in a treaty.  That's a totally different standard from strict scrutiny.  And relying on even that is unrealistic, because governments have the "epistemic priority" -- and so they often, quite freely, simply claim their sovereignty and act according to what they claim is an important state interest.  They simply have that wherewithal at the international level.</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>All of which is preface to say that the result is that governments and private parties (and corporations, who have concocted trans-state "rights" through judges acting to fill in gaps in the law over the years) know the rules don't apply the same way in the international arena.</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>In fact, given the transitions currently being attempted, whether with the IANA functions or "Internet governance" more generally, Yahoo's DMARC behavior may really be a sort of dry run, testing the ability to take advantage of the moves to put concerns related to the operation of the Internet into an international frame, which folks are pushing for without really recognizing what's missing in that context, what they have sort of unconsciously relied on and taken for granted within systems of checks and balances that are rooted solidly at national levels.</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>The checks and balances don't work the same internationally, and that circumstance can be exploited (and is, all the time, these days).</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>People might push back, but they don't really do so with the same sense of fundamental recourse assured by a solidly rooted system.  And Yahoo knows this.  And we're just shoring that up by saying we can just switch multistakeholderism to the international arena.</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>(All of this is aside from other factors not generally acknowledged -- that there are actually inter-governmentally endorsed frames in place that will have a bearing on IANA type functions or domain names (Names, Numbers, Addresses and Identifiers/NNAI, in the ITU parlance), regardless of the fact the IANA transition defines itself as non-governmentally-led or inter-governmental.  Looking at this in that light, Yahoo may be forcing the creation of a context in which it can start to exercise those frameworks.)</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>Seth</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>On Tue, Apr 15, 2014 at 12:07 AM, Miles Fidelman <<a href="mailto:mfidelman@meetinghouse.net">mfidelman@meetinghouse.net</a>> wrote:</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Important business users, with Yahoo accounts?  Is that a joke?</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Just as a reference point:</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>- I just logged into my long-unused, and un-publicized yahoo email account - and the only thing there is Spam</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>- the lion's share of mail that comes from yahoo, to my normal account, is spam</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>- unfortunately, a good number of people on the email lists that I run seem to have Yahoo mail accounts - and a good amount of the mail that comes from those accounts is... you guessed it... spam - because yahoo email accounts seem to be vulnerable to cracking and exploitation</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>So, just who is it that Yahoo is protecting here?</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Abdussalam Baryun wrote:</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>The standard procedure in many companies is business scoped, so they identify important business users and the business returns/damages. Most important users are not IT experts, and use email for personal exchange. Yahoo has signed an agreement with users to protect its information system, so all seem to follow that, and all users are free to stop using services or not.</span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>AB</span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>On Tuesday, April 15, 2014, Brian E Carpenter wrote:</span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>    I thought that standard operating procedure in the IT industry</span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>    was: if you roll something out and it causes serious breakage to</span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>    some of your users, you roll it back as soon as possible.</span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>    Why hasn't Yahoo rolled back its 'reject' policy by now?</span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>    Regards</span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>       Brian</span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>--</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>In theory, there is no difference between theory and practice.</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>In practice, there is.   .... Yogi Berra</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><span></span><br></blockquote><span></span><br></div></blockquote><blockquote type="cite"><div><span>____________________________________________________________</span><br><span>You received this message as a subscriber on the list:</span><br><span>     <a href="mailto:governance@lists.igcaucus.org">governance@lists.igcaucus.org</a></span><br><span>To be removed from the list, visit:</span><br><span>     <a href="http://www.igcaucus.org/unsubscribing">http://www.igcaucus.org/unsubscribing</a></span><br><span></span><br><span>For all other list information and functions, see:</span><br><span>     <a href="http://lists.igcaucus.org/info/governance">http://lists.igcaucus.org/info/governance</a></span><br><span>To edit your profile and to find the IGC's charter, see:</span><br><span>     <a href="http://www.igcaucus.org/">http://www.igcaucus.org/</a></span><br><span></span><br><span>Translate this email: <a href="http://translate.google.com/translate_t">http://translate.google.com/translate_t</a></span><br></div></blockquote></body></html>