[dmarc-discuss] A bit quiet?

Scott Kitterman sklist at kitterman.com
Fri Oct 23 07:07:42 PDT 2015



On October 23, 2015 1:48:13 AM EDT, Roland Turner via dmarc-discuss <dmarc-discuss at dmarc.org> wrote:
>The question is not who you trust - ARC doesn't directly change that -
>but how you reliably automate determining whether the message was
>forwarded only by people that you trust. At present, you have to dig
>through Received: headers, infer per-forwarder internal structure and
>behaviour and, frequently, guess. ARC addresses that problem, not the
>one you're asking about.

I don't see why the signing domain of the DKIM signature that could be added by the most recent sender doesn't already give an identifier  to use to evaluate trust in the sender.

I can see that ARC gives a way to communicate information about the upstream senders, but I don't see how that's related to DMARC.

>From a DMARC perspective, if you know the sender is trustworthy, you do a local override.  ARC doesn't seem to be needed for that.
>
>The amount of discussion to date about specific historical whitelist
>proposals is neither here nor there. The question is whether ARC's
>degree of support for reliable automatic chain-of-custody assessment
>provides a material improvement for a group of receivers interoperating
>with a group of forwarders. So long as the answer to that question is
>yes, then this is progress. I'd suggest that:
>
>*   large receivers are generally keen to implement things that
>materially improve their ability to separate wheat from chaff (ARC does
>this if it's implemented by any significant subset of mailing-list
>operators), and
>*   at least some of the mailing-list operators whose discomfort with
>DMARC interoperation is the need to disrupt long-traditional norms
>(leaving From: unchanged but tagging Subject:, stripping multiparts,
>adding footers, ...) will be willing to perform ARC processing on
>messages on the way in, in order to interoperate without giving up
>traditional mailing-list operations.
>
>If these are both true, then ARC is a clear benefit.

Only if ARC processing materially affects if receivers are willing to consider the mailing list as trusted.  As far as I can tell, ARC does nothing for determining this.  In fact, it seems that from a DMARC mailing list problem perspective, ARC is almost exactly backwards.

ARC appears to leverage knowledge of who are trusted senders to make it easier to trace a message path.  If there's a way to know which senders are trusted, then DMARC can already be overridden.

Maybe I am just failing to understand, but this reads to me like a solution to the DMARC mailing list problem that only works if there already exists another solution to the DMARC mailing list problem.  That or it's completely unrelated to DMARC.  I'm not sure which.

Scott K 


More information about the dmarc-discuss mailing list