[dmarc-discuss] A bit quiet?

J. Gomez jgomez at seryrich.com
Sat Oct 24 03:42:46 PDT 2015


On Saturday, October 24, 2015 4:54 AM [GMT+1=CET], Scott Kitterman via dmarc-discuss wrote:

> On October 23, 2015 8:37:06 PM EDT, John Levine <johnl at taugh.com>
> wrote: 
> > > From a DMARC perspective, if you know the sender is trustworthy,
> > > you do a local override.  ARC doesn't
> > > seem to be needed for that.
> > 
> > I have many of the same questions you do, but it is my impression
> > that a surprising number of lists behave fine for a long time, then
> > some bad guy starts pumping spam through it by impersonating one of
> > the subscribers.
> > 
> > ARC should be helpful in that perhaps non-exotic situation.
> 
> Could be.  I certainly don't claim it's not potentially useful.  My
> concern is that it seems to be marketed as a solution to the DMARC
> mailing list problem and as far as I can tell, its potential utility
> is orthogonal to that.

Ok, you said "from a DMARC perspective, if you know the sender is trustworthy, you do a local override". But imagine big ESP "A" with hundreds of thousands of users who may subscribe to all kinds of mailing lists of which mailing lists you --as big ESP "B"-- had no previous knowledge and on which you have no a-priori trust.

In that scenario, when you as big ESP "B" receive email from such mailing lists addressed to your users, you don't know whether the sender (i.e., the mailing list) is trustworthy because you didn't know anything about him until now, so you cannot do a local override of DMARC in an automated and safe way.

But if the big ESP "A" user sent a DKIM signed message to that list, and that list added a ARC seal to the message when it forwarded said message to the list's subscribers, then you --as big ESP "B" and as recipient of said message-- could verify that it is true that said user from big ESP "A" indeed sent that original email addressed to the list, and if the ARC chain is verifiable and goes back to someone you trust then you could begin to put some trust also in the other end of the ARC chain (on its latest iteration), and therefore do a local override of DMARC in an automated and safe way even with email received from senders your didn't know were trustworthy.

Am I too off base?

Regards,
J.Gomez




More information about the dmarc-discuss mailing list