[dmarc-discuss] DMARC thwarted already?

Arvel Hathcock arvel.hathcock at altn.com
Thu Jun 5 20:45:15 PDT 2014


On 6/5/2014 9:42 PM, John Levine via dmarc-discuss wrote:
>> Presumably, if VBR is already an RFC, why couldn't DMARC integrate with it? As a large
>> receiver I would never trust a set supplied by the sender, but if I had a handful of locally
>> defined vouching services, then I could use that to bypass a DMARC enforcement in the event
>> that the message passes SPF and DKIM, yet fails alignment.
> As one of the authors of VBR, I think that'd be a dandy idea.

Through the graciousness of the real authors my name is also on that 
one.   We've provided a free VBR service as a value add to our MTA 
customers for years which we run and police ourselves.  Not that anyone 
else does (or should) but our customers trust us (for the most part) 
that if we say a domain is OK (and VBR is how we do that) then they skip 
spam filtering, or lessen it, etc.   I've just finished implementing 
DMARC for my next version and it will use the VBR service too in just 
the way you've described.   I've read that Spamhaus runs a VBR 
white-list as well called the "BWL" but I don't know anything else about 
it. http://www.spamhauswhitelist.com/en/techfaq.php.

Arvel



More information about the dmarc-discuss mailing list