►
From YouTube: DMARC WG Interim Meeting, 2020-06-11
Description
DMARC WG Interim Meeting, 2020-06-11
A
A
Think
it
was
an
interesting
mix
of
people
going
over
the
issues
that
we
already
started
on.
The
mark
mining
list
like
what
it
means
to
implement
Demark
for
different
parties,
what
the
requirements
are
and
some
special
cases
like.
What's
the
meaning
of
yeah
equal,
none
with
no,
you
have
option
with
no
reporting.
So
what
is
it?
What
exactly
does
it
mean?
Is
it
syntactically
valid
or
in,
but
it's
still
not
encouraged
the
war,
a
lot
of
province
about
use
of
PCT
option
which
I
think
something
we
might
want
to
discuss
here.
B
Ecosystem
issues
and
we've
already
had
that
discussion
on
list,
and
there
was
already
consensus
on
that,
but
there's
definitely
clearly
a
need
for
a
PCP
there.
There
was
there
was
a
conversation
around
the
percent
tag,
that's
people
who
do
find
it
valuable
versus
those
who
don't
and
there
was
specifically
4%,
there's
also
wider
conversation
around
up
percent
equals
zero
with
people's
quarantine.
I
think
it's
actually
a
really
meaningful
conversation
to
have
here
at
the
IETF
and
I.
B
We
actually
get
this
at
MOG
from
government
organizations
where
there's
an
ask
for
a
way
to
ask
Demark
for
both
SPF
and
DKIM,
and
so
that
there's
a
meaningful
conversation
there,
because
it
comes
up
again
and
I
think
that
again
to
have
that
conversation,
the
IETF
and
have
to
show
consensus
around
that
is
meaningful,
even
though
I
think
the
answer
is
well-known.
I,
don't
think
that
conversations
happened
at
the
IGF
I
think
those
are
the
the
very
top
line
points
and
there
will
be
more
that
will
summarize
over
time.
B
A
The
original
Demark
spec
was
not
published
on
the
ITF
consensus
rules,
so
it
hasn't
really
gotten
enough
buy-in
from
ITF
community.
So
this
round.
Hopefully
we
are
doing
it
as
a
proper
working
group
item
and
want
to
make
sure
the
spec
is
clear
that
if
there
are
any
unused
features
that
they
are
likely
to
be
removed,
or
at
least
if
there
are
features
that
people
want
to
move,
then
their.
A
Residence
should
be
justified
in
this
back
also,
we
have
a
list
of
open
issues
on
to
thought
idea
of
the
tour
guide.
Doing
for
this,
which
we
started.
Collecting
from
2015
and
Seth
were
added
quite
a
bit
more
this
year,
so
the
idea
is
to
go
over
known
issues
and
try
to
reach
rough
consensus
for
change
and
also
change
a
lot
of
discussion
going
to
be
about
what
it
means
to
implement
a
specific
feature.
What.
A
So
yeah,
basically
the
idea
is
that
will
gia
will
ask
for
about
three
issues
at
any
given
time
so
that
not
to
overload
the
mailing
list
and
try
to
get
closure
and
revise
the
document
accordingly.
The
other
thing
is
the
mark.
Working
group
charter
requires
us
to
address
in
direct
mail
close,
which
we
published
arc
document
as
experimental
RFC.
B
C
C
C
It's
like
I,
don't
have
specific
tests.
Excuse
me,
I,
don't
have
a
specific
checklist
in
mind.
I,
just
I
think
that
that
people
are
gonna
be
looking
at
this
very
carefully
for
all
the
obvious
reasons,
and
we
just
need
to
be
make
sure
that
when
we
send
it
to
the
iesg
or
even
IETF,
last
call
that
we
have
done
our
due
diligence
about
what
those
topics
are
going
to
be
and
that
we
have
a
good
answer
for
everything.
D
I
I
was
going
to
mention
what
Murray
said
the
it
has
to
deal
with
the
issues
of
mailing
list,
breakage
that
everybody
is
seeing
everybody's
well
aware
of
that
and
you're
gonna
get
a
lot
of
pushback
from
IETF
last
call
I,
think
and
from
the
iesg.
If,
if
the
standard
version
of
the
document
doesn't
deal
with
it
in
some
reasonable
way,.
B
D
C
Yeah
I,
don't
think
that's
my
I
mean
you
might
convince
me
otherwise,
but
I,
don't
think
it
makes
sense
to
merge,
make
arc
a
formal
part
of
Demark
I,
think
making
it
another
layer
or
a
piece
of
indication
layer
below
it.
That
strikes
me
as
more
palatable
because
it
should
be
a
sort
of
a
plug-and-play
type
of
mechanism,
but
we'll
see
as
it
develops.
That's.
B
B
I,
think
that
there's
Jesse
Thompson
autumn
care,
salvia
and
M
Ben
Davis,
and
so
the
the
ask
here
is:
if
you
want
to
actually
speak,
if
you
can
just
put
us
Q
in
the
chat
and
then
we'll
manage
the
Q
just
so
just
it
remains
orderly,
we're
not
people
muting
and
unmuting
themselves
and
causing
chaos.
So
if
you're
ready
to
speak
just
throw
plus
Q
in
the
chat-
and
we
will
call
your
name
out.
E
E
B
Yeah
I
think
what
you're
saying
is.
Basically,
there
are
certain
receivers
when
you
move
from
a
policy
of
none
to
a
policy
of
quarantine,
regardless
of
percentage,
it
impacts,
mail
flow
and
so
percent
equals
zero
lets.
You
get
reporting
on
the
new
mail
flow
without
actually
having
any
operational
change
on
the
sender
end.
Is
that
correctly?
Yes,.
E
E
F
F
It'll
fail,
SPF,
because
the
list
server
is
not
a
part
of
the
domains,
SPF
entry
and
it
will
also
fail
DCAM,
because
mailing
lists
make
meaningful
changes
to
D
Kim
I
they'll
change
things
like
the
message
body
by
adding
an
unsubscribe
link,
which
of
course
then
changes
the
body
hash
and
breaks
deacon
so
by
the
header
munging.
That
removes
the
concern
that
the
message
would
then
fail
d
mark
for
the
domain
that
is
owned
by
the
organization,
considering
a
more
restrictive
policy.
F
But
the
challenge
is
that
there
are
some
mailing
list:
providers
that
automatically
Munch
headers
for
quarantine
or
reject
policies
and
others
that
require
a
manual
intervention.
So
one
example
of
this
is
Group.
Co
is
a
mailing
list
service
provider
they'll
automatically
change
the
headers
when
they
see
a
quarantine
or
reject
policy.
I
simile,
listserve
Bael
soft
of
the
sufficiently
advanced
version
will
also
do
this
automatically.
F
On
the
other
hand,
the
popular
mailing
list-
software
mailman-
has
an
option
to
do
this,
but
it's
something
that
an
individual
list
admin
must
positively
make
a
change
for,
and
so,
when
an
organization
is
virtually
done,
authenticating
most
of
their
traffic
and
they
see
some
list
server
traffic.
They
have
no
idea
if
that
will
still
be
an
issue
for
them
after
a
quarantine
or
reject
policy,
or
if
the
system
in
question
will
automatically
rewrite
those
headers
and
particularly
for
large
organizations.
They
often
have
people
participating
in
many
mailing
lists
where
it's
not
always
obvious
upfront.
F
If
that
system
will
rewrite
headers
automatically
or
not,
and
so
using
the
percentage
equals
zero
quarantine
policy
is
one
way
that
we
will
be
able
to
see
what
headers
will
be
rewritten,
because
as
soon
as
they
make
a
change,
the
systems
that
rewrite
the
helpers
disappear
from
the
reporting
data
and
the
systems
that
don't
automatically
make
the
change
still
show
as
fails,
and
so
that
can
allow
an
organization
to
then
go.
Pursue
I
had
our
munging
through
intentional
list.
Admin
changes
for
what
traffic
remains.
F
B
You
all
I
have
a
question
for
you.
There
then
do
you
consider
this
in
sort
of
an
issue
in
the
ecosystem,
with
how
mailing
lists
and
LD
mark
user
there's
a
bug
with
D
mark?
Do
you
consider
the
ability
to
do
people
14%
equal
zero,
like
a
bug
that
you're
taking
advantage
of
a
feature
that
you're
taking
advantage
of
like
how
do
you?
How
would
you
summarize
this
like
if
everything
worked
properly,
is
this
needed,
or
is
this
just
because
of
friction
in
the
the
ecosystem
without
demarcus
handles
I?
Would.
F
Say
definitely
the
latter.
It
is
because
of
friction
in
inconsistent
mailing
list
practices
where
some
systems
automatically
make
that
change.
Other
systems
do
not,
and
ideally
I,
would
love
to
see
every
system
automatically
make
that
change
so
that
systems
that
are
domains
that
are
about
to
do
a
restricted
policy
will
not
have
mailing
lists
as
a
an
issue.
This
comes
up
a
whole
lot
and
I
know
by
esteemed
colleagues.
Wilson
speak
to
this,
but
I
see
this
a
lot
for
higher
ed
I.
F
Also
see
it
a
lot
for
government,
because
government
researchers,
higher
ed
researchers,
participate
in
mailing
lists
at
a
very
high
degree,
and
because
of
that,
this
has
been
a
barrier
to
Demark
adoption,
so
I
would
say
using
percent
equals.
Zero
is
a
little
bit
of
a
hack,
but
at
the
same
time,
mailing
lists
were
not
adequately
provided
for
I.
Think
in
this
back
originally,
and
so
this
is
one
way
that
we
can
get
that
vital
information
in
an
otherwise
uncertain
world.
B
F
And
in
fact
it
might
do
so
better.
There
are
a
couple
of
small
receivers
that
have
a
bug
in
their
Demark
system
such
that
they
can
never
quarantine
or
reject
any
less
than
2%,
and
so,
whenever
I
recommend
a
domain
makes
this
change.
We
recognize
that
there
will
always
be
some
number
of
messages
that
are
actually
quarantined,
even
when
we
have
a
percent
equals.
Similarly,
there
are
a
couple
of
systems
that
ignore
the
percentage
lag
entirely,
so
I
only
recommend
domains
do
this
when
all
other
avenues
have
been
exhausted.
G
I
think
autumn
covered
it
really
well
and
I,
don't
have
too
much
to
add
other
than
the
bug
in
that
some
receivers,
misinterpreting
percent
or
treating
it
as
100.
It
kind
of
gets
us
closer
to
a
destination
based
alternative
to
2
percent
itself
by
accident,
so
that
might
need
to
be
addressed.
The
other
thing
that
maybe
is
worth
calling
out
is.
G
Maybe
art
could
solve
that,
but
I
the
the
problem
I
see
with
arc
is
that
the
arc
the
mailing
list
doesn't
know
if
the
recipient
system
will
support
arc
and
trust
them
from
a
reputation
sampling.
So
they
have
to
munge
and
I
worry
that
we'll
have
to
have
mailing
lists
munging
essentially
forever
until
we
have
a
complete
art.
B
H
So
this
is
Scott.
Did
you
just
call
on
me?
Yes,
yes,
so
I
mean
one
of
the
challenges
here
is
all
this
from
wondering
is
not
standardized,
and
so
a
standard
organization
seems
to
me
to
be
kind
of
an
odd
place
to
complain
about
people
doing
unstandardized
things
wrong
and
I
get
why
people
do
it
and
why
they
wanted,
but
from
email
works
perspective,
it's
really
a
gross
hack
and
I.
H
A
A
comment
in
general
that
I
sort
of
hear
what
you're
saying
Scott
but
I
think
if
we
can
get
rough
consensus
in
Demark
working
group
that
something
needs
to
be
done
on
this,
and
we
can
get
rough
consensus
on
specific
text,
then
things
can
change.
What
do
they
would?
You
know
obviously
I
have
no
way
of
knowing
at
this
point,
so
it
certainly
try
yeah
I
think
you
know.
Maybe
we
should
try
to.
A
B
H
B
I
J
Thanks
just
as
a
quick
add
on
to
what
Jesse
said,
basically,
I
was
wondering
if
we
could
put
something
in
this
back.
That's
the
sender
should
take
care
not
to
send
out
messages
that
violate
Demark
in
any
way,
but
that
should
probably
obviously
be
should,
in
the
case
of
P
or
P,
is
not
a
P
equals
none,
but
it
might
be
even
stronger
that
if
P
equals
quarantine
or
reject
that
you,
you
must
not
send
out
messages
that
break
it
or
something,
and
that
would
then
apply
to
mailing
lists.
J
B
I
think
it's
worthwhile
to
bring
to
the
list.
I
think
you
know
if
you
squint,
and
look
forward
and
everything
demarks
widely
deployed,
then
people
who
do
those
things
that
it'll
never
hit
an
inbox
because
they
can't
authenticate
is
the
domain
they're
trying
to
send
from
so
the
problem
does
actually
solve
itself
with
wide
adoption
of
Demark.
H
J
I
B
B
So
the
next
thing
I
want
to
talk
about.
I
think
that
was
the
cue
is
that
there
was
also
a
conversation
about
at
MOG
about
forensic
reports
and
if
there
are
ways
so
instead
of
getting
the
entire
contents
of
the
message,
you
get
more
redacted
messages
or
stripped
down
failure
reports,
the
sense
of
you
get
just
the
auth
results
and
to
and
from
or
domains
and
URLs
I
want
to
know.
If
there's
anyone
who
came
over
from
MOG
wants
to
talk
about
their
point
of
view
of
what
they
might
want
here.
F
Right
well,
ultimately,
I'm
anything
forensic
reports,
even
if
it's
down
so
I,
would
prefer
ideally
full
forensic
reports,
because
that
information
is
very
helpful.
But
I
know
there
are
a
lot
of
systems
that
are
concerned
about
privacy,
law
violations
or
other
issues
might
choose
to
not
do
forensic
reports
if
they
have
to
include
that
are
expected
so
stripped
down.
Data
is
better
than
no
data
a
lot
of
times,
I
work
with
large
organizations
that
have
otherwise
no
idea
what
is
being
sent
on
their
domain.
F
So,
if
you
think
of
a
large
international
business
or
a
university,
there
are
many
distinct
users
that
are
not
at
all
connected
to
the
internal
team
that
might
be
working
on
a
demur
project
and
trying
to
figure
that
out
is
quite
challenging.
Even
will
often
find
multiple
instances
using
the
same
service
provider.
So
I
can
think
of
one
government
domain
that
had
almost
30
separate
MailChimp
accounts
and
the
best
way
that
we
could
find
to
get
that
information.
F
In
some
instances,
I
have
the
ability
to
work
with
the
email
service
provider,
but
in
other
instances,
were
kind
of
stuck.
So
whenever
we
have
forensic
reporting,
getting
a
from
address
is
extraordinarily
helpful.
Even
a
you
know,
a
subject
line
is
additionally
helpful.
Links
in
the
message
are
helpful,
but
even
just
a
from
address
and
label
itself
is
a
massive
improvement
above
and
beyond
what
we
get
from
aggregate
reporting.
So
if
allowing
a
stripped
down
version
of
forensic
reporting
will
in
turn,
allow
more
organizations
to
send
forensic
reporting
I'm
in
favor
of
it,
I'm.
B
G
G
I
know
that
some
of
the
you
mark
benders
will
you
use
the
SPF
macro
approach
to
try
to
get
sense
of
which
envelope
from
addresses
are
being
used.
That
seems
a
little
bit
of
a
kludge
and
a
privacy
issue
to
me,
but
it
is
a
little
clever.
So
that's
pretty
much
my
perspective.
It
would
be
great
if
we
could
see
the
address
or
subject
like
like
arm
says
so
that
we
can
track
down
who
they
are
and
let
them
know
to
use
a
subdomain
or
something
like
that.
I
Autumn,
are
you
asking
the
in
the
spec
we
be
more
blatant
about
forensic
reports
can
be
whatever
the
heck
you
feel
like.
You
are
comfortable,
sending
and
then
provide
some
sort
of
a
ranked
list
of
these
are
the
things
that
are
most
useful,
to
least
useful
if
you're
going
to
try
to
strip
down
your
forensics.
Yes,
okay,.
F
Since
I'm
on
one
sec,
there
is
one
other
point
that
I
had
mentioned
and
that's
on
the
abuse
fighting
side
of
this.
Sometimes
these
samples
get
forwarded
to
takedown
vendors
or
law
enforcement,
and
so
that's
another
use
case
for
this
as
well.
It's
not
just
companies
wanting
to
do
Demark,
who
don't
know
what
they're
sending
it's.
It's
also
the
abuse
fighting
side.
I
K
Sorry
about
that
and
sorry
for
not
getting
in
the
queue
when
I
meant
to
be
I
didn't
figure
out
the
mechanism.
This
is
back
to
the
header
munging,
not
to
give
an
answer,
but
to
point
out
that
I
think
there
needs
to
be
some
clarity
about
what
problem
there.
Is
it's
easy
to
go
to
the
symptom
of
header,
munging
and
focus
on
that,
but
but
stepping
back
and
trying
to
make
sure
we
understand
what
what
is
the
nature
of
the
issue
being
dealt
with
where
header
munging
is
a
symptom
that
causes
problems.
K
B
L
In
question,
so
one
of
the
topics
identified
in
the
Moloch
session
was
that
there
are
multiple
morgue
stakeholders
who
have
problems
with
the
mark
and
forwarding
emails
to
external
addresses
and
I
think
that's
kind
of
the
bigger
picture.
So
we
have
ISPs
forward
email
from
domains
they
host
to
some
other
place.
We
have
alumni
web
sites
and
personal
address
web
sites
and
we
have
mailbox
providers
who
are
also
providing
forwarding
to
their
users.
So
I
think
it's
a
big
question.
H
M
I
was
also
I
wanted
to
say
about
the
issue
of
emails
being
forwarded
and
and
content
being
adjusted
a
little
bit.
Ultimately,
if
my
understanding
is
correct,
Demark
is
about
to
send
us
authenticity
more
than
the
integrity
of
the
content.
If
you
look
at
what
dkim
at
what
elements
are
mandatory
and
what
are
optional,
if
you
scale
down
on
the
elements
to
be
included
in
hashed
alkylation
and
you
allow
for
the
body
to
be
modified,
the
things
will
always
pass
through,
but
you
ensure
that
the
sender's
authenticity
z'
is
guaranteed.
N
Sure,
if
necessary,
one
of
the
trip
support
for
the
idea
of
the
reduced
forensic
reports
or
failure,
reports
I
forget,
which
term
was
last
in
a
common
practice,
the
if
the
idea
had
already
been
floated,
basically
that
while
we
saw
several
different
degrees
of
redaction
and
practice
when
there
were
still
multiple
senders,
a
number
of
centers
of
those
reports,
perhaps
it
would
be
useful
for
those
who
reject
it
when
they
don't
understand
the
scope
of
what's
potentially
involved.
If
they
could
see
some
examples
of
those
redacted
reports.
B
B
O
It
was
just
more
of
a
comment
and
and
I
know
it's
hot
ass
with
some
examples,
but
I
said
it
might
comment
a
little
bit.
More
action
fact
would
be
nice
if
Demark
bisque
could
make
some
requirements.
The
right
word
there's
some
restrictions
of
some
sort
about
SPF
that
involves
week
all
statements.
So
if
they
use
like
a
plus
all
evoke
an
and
D
mark,
as
we
go
through
G
markers,
can
we
make
it
so
that
they
plus
all
validates
it
or
something
like
that
or
won't
work
on
P
equals
reject
or
something
like
that.
O
I,
don't
know
something
like
that.
It's
the
case
but
and
then
I
excited
to
also
potentially
say
like.
Well,
maybe
we
end
up
with
something
like
a
matrix
where
question
mark
all
only
works
with
quarantine
and
none
and
something
like
that,
and
then
you
know,
plus
all
doesn't
anything
or
something
like
that.
But
it's
just
it's
just
a
thought
just
because
we
have
seen
the
past
folks
who
are
something
like
equals:
quarantine,
but
there's
plus
all
which
is
kind
of
not
really
ideal.
O
Has
a
misuse
we've
had
to
have
some
senders
correct
it.
It
doesn't
necessarily
really
cause
operational
issues,
although
I
bet
on
the
other
side,
if
they're
getting
deep
mark
reports,
they're,
probably
getting
a
lot
more
than
they
anticipated
much
larger
reports.
But
I
can't
really
comment
on
that.
It's
like
we're
not
seeing
ourselves,
but
it's
just
you
know
something
like
that
is
potentially
a
way
that
we
can
help
strengthen
as
yeah.
If
folks
want
the
advantages
of
DeMarco
protector.
B
C
Two
points,
one
with
my
ad
hat
on
I-
do
not
believe
that
you
are
forbidden
charter
from
talking
about
this
or
proposing
an
extension
in
the
dis
in
the
best
document
to
actually
take
this
into
account.
As
an
implementer,
though
I'll
point
out
that
your
interface
between
SPF
and
DKIM
and
Arc
and
D
mark
is
the
authentication
results
field
which
does
not
give
you
a
way
to
say
the
SPF
policy
in
effect,
for
this
was
plus
all
so,
you
don't
actually
have
that
information.
C
B
P
I
hope
you
can
hear
me
one
of
the
things
that
came
up
on
the
list
recently
that
I
think
was
kind
of
buried
in
another
discussion
was
the
question
of
whether
the
weather
users
actually
can
see
or
if
they
can
see,
do
they
act
on
the
domain.
I,
the
the
domain
and
the
and
the
email
address
of
the
from
field
and
I'm,
not
sure
that
was
resolved
and
I.
You
know
there
were.
P
There
were
definitely
some
people
that
are
that
were
arguing
that
either
users
can't
see
the
address
or
that
they're
not
going
to
pay
any
attention
if
they
do
see
it.
So
the
reputation
argument
doesn't
doesn't
really
quite
hold.
I
think
it's
important
to
this
working
group
that
there
be
a
consensus
on
that
question.
So
I'm
asking
the
chairs
to
perhaps
created
as
an
issue
or
something
of
that
sort.
B
Q
C
C
I
Wasn't
brought
up
at
MOG
but
looking
at
the
time
and
how
we
only
have
six
minutes
left
or
three
and
a
half
or
something
I'd
like
to
find
out
from
the
chairs.
What
they're
intending
for
the
agenda
in
the
July
IETF
108
meeting,
so
that
people
can
figure
out
whether
to
pony
up
the
300
bucks
to
join
the
discussion
in
July.
Q
That's
a
good
question
actually
because
I
think
some
of
that
was
going
to
be
driven
by
what
was
going
on
during
the
mailing
list.
But
I
almost
wonder
if
we
schedulers
look
another
interim.
Those
actually
have
a
no-cost
item,
so
there
may
be
some
relevance
and
actually
skipping
the
108
and
then
having
an
interim
Ike
in
August,
which
would
you
know
which
wouldn't
be
would
I
would.
Q
B
J
Just
a
quick
one,
now
I
wonder
if
anybody's
in
also
tracking
the
bounces
that
come
back
from
reports,
I've
recent
only
recently
started
doing
that
and
in
the
in
the
beginning,
I
just
threw
everything
away,
but
the
amount
of
reports
it
just
bounced
is
staggering
and
it's
like
50
percent
of
deer
domains.
Only
except,
of
course,
roughly
I
haven't,
got
exact
stats.
Anybody
interested
in
this
or
am
I
just
completely
working
up
a
tree.