[arc-discuss] [dmarc-discuss] A bit quiet?
roland at rolandturner.com
Thu Nov 26 03:59:56 PST 2015
On 11/01/2015 10:19 AM, Murray S. Kucherawy via arc-discuss wrote:
> In terms of formalities, I think we agree that ARC should be specified
> on its own. I'm just not sure I agree with the idea that DMARC should
> never be extended to include it as a formal consumable. Remember that
> DMARC doesn't actually require DKIM or SPF either; it works fine with
> just one or the other, so adding a third doesn't impose much on
> anyone. If ARC is successful, or is on the track to being so, then I
> think adding it to a DMARC revision is the right thing to do if only
> to encourage uptake.
At the very least, ARC is a different kind of input to DMARC than SPF or
DKIM is; the latter tell the receiver things about the RFC5322.From
domain registrant's intentions, the former provides a form of telemetry
about what happened along the way.
> But then we get to the question of how that would happen given DMARC
> isn't really versioned in a way that's meaningful here. That is: What
> would it mean to publish, say, a Proposed Standard version of DMARC
> that mandates ARC support as one of three methods evaluated by a
> receiver, instead of one of only two? Do all DMARC verifiers have to
> change now? And what would it mean in terms of compliance if one doesn't?
No, ARC makes sense only as local policy input (as above, it's not about
the intentions of the domain registrant). A receiver who is using ARC as
an input to their decision-making is going to report less damage to
domain registrants, permitting the latter to adopt more aggressive
policies earlier, but no other difference in domain registrant behaviour
is required. In particular: all parts of ARC processing are outside the
latter's control anyway.
> Actually having read the drafts in detail now, I'm starting to think
> ARC could supplant DKIM entirely. Am I wrong about that?
Not at all, that's certainly possible. I've been meaning to write up a
note on ARC and independent origination (telco-provisioned BlackBerries,
LinkedIn notifications, "own domain" sending from Gmail (the free
webmail client rather than Google Apps), news site send-to-a-friend,
etc.) to make the argument that ARC-signing can be used by independent
originators to take responsibility for what they're doing and help
receivers decide when to treat that as sufficient basis for disregarding
the domain registrant's p=reject. A trivial extension of this idea is
for domain registrant originators to do likewise, it will simply happen
to be the case that the ARC-(Seal|Message-Signature) i=1 headers will
have a d= value matching the RFC532.From domain. At this point, DKIM is
More information about the arc-discuss