[dmarc-discuss] A bit quiet?

Scott Kitterman sklist at kitterman.com
Fri Oct 23 13:27:41 PDT 2015



On October 23, 2015 2:10:26 PM EDT, "J. Gomez via dmarc-discuss" <dmarc-discuss at dmarc.org> wrote:
>On Friday, October 23, 2015 4:07 PM, Scott Kitterman via dmarc-discuss
>wrote:
>
>> On October 23, 2015 1:48:13 AM EDT, Roland Turner via dmarc-discuss
>> <dmarc-discuss at dmarc.org> wrote: 
>> > The question is not who you trust - ARC doesn't directly change
>> > that - but how you reliably automate determining whether the
>> > message was forwarded only by people that you trust. At present,
>> > you have to dig through Received: headers, infer per-forwarder
>> > internal structure and behaviour and, frequently, guess. ARC
>> > addresses that problem, not the one you're asking about.
>> 
>> I don't see why the signing domain of the DKIM signature that could
>> be added by the most recent sender doesn't already give an identifier
>> to use to evaluate trust in the sender.  
>> 
>> I can see that ARC gives a way to communicate information about the
>> upstream senders, but I don't see how that's related to DMARC. 
>> 
>> From a DMARC perspective, if you know the sender is trustworthy, you
>> do a local override.  ARC doesn't seem to be needed for that.
>
>How do you know the sender is trustworthy, if the email he sends 
>is failing a DMARC check?
>
>Is this ARC thing a mechanism to know when it is safe to ignore 
>the sender's DMARC policy of "p=reject"? And if it is such, shouldn't 
>it be part of the DMARC standard?

It's not. It's only useful when provided by senders you trust.

Scott K


More information about the dmarc-discuss mailing list