[dmarc-discuss] A bit quiet?

Franck Martin fmartin at linkedin.com
Sat Oct 24 11:47:12 PDT 2015


I think ARC is making it clear it does not provide a chain of trust but a
custodial chain.

Assessing the trust of this custodial chain is left as an exercise to the
implementer :P

Seriously, a very simple system, is to extract all the domains in the chain
and see if any is on a blocklist (including newly observed domains).

On Sat, Oct 24, 2015 at 3:42 AM, J. Gomez via dmarc-discuss <
dmarc-discuss at dmarc.org> wrote:

> On Saturday, October 24, 2015 4:54 AM [GMT+1=CET], Scott Kitterman via
> dmarc-discuss wrote:
>
> > On October 23, 2015 8:37:06 PM EDT, John Levine <johnl at taugh.com>
> > wrote:
> > > > From a DMARC perspective, if you know the sender is trustworthy,
> > > > you do a local override.  ARC doesn't
> > > > seem to be needed for that.
> > >
> > > I have many of the same questions you do, but it is my impression
> > > that a surprising number of lists behave fine for a long time, then
> > > some bad guy starts pumping spam through it by impersonating one of
> > > the subscribers.
> > >
> > > ARC should be helpful in that perhaps non-exotic situation.
> >
> > Could be.  I certainly don't claim it's not potentially useful.  My
> > concern is that it seems to be marketed as a solution to the DMARC
> > mailing list problem and as far as I can tell, its potential utility
> > is orthogonal to that.
>
> Ok, you said "from a DMARC perspective, if you know the sender is
> trustworthy, you do a local override". But imagine big ESP "A" with
> hundreds of thousands of users who may subscribe to all kinds of mailing
> lists of which mailing lists you --as big ESP "B"-- had no previous
> knowledge and on which you have no a-priori trust.
>
> In that scenario, when you as big ESP "B" receive email from such mailing
> lists addressed to your users, you don't know whether the sender (i.e., the
> mailing list) is trustworthy because you didn't know anything about him
> until now, so you cannot do a local override of DMARC in an automated and
> safe way.
>
> But if the big ESP "A" user sent a DKIM signed message to that list, and
> that list added a ARC seal to the message when it forwarded said message to
> the list's subscribers, then you --as big ESP "B" and as recipient of said
> message-- could verify that it is true that said user from big ESP "A"
> indeed sent that original email addressed to the list, and if the ARC chain
> is verifiable and goes back to someone you trust then you could begin to
> put some trust also in the other end of the ARC chain (on its latest
> iteration), and therefore do a local override of DMARC in an automated and
> safe way even with email received from senders your didn't know were
> trustworthy.
>
> Am I too off base?
>
> Regards,
> J.Gomez
>
>
> _______________________________________________
> dmarc-discuss mailing list
> dmarc-discuss at dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://dmarc.org/pipermail/dmarc-discuss/attachments/20151024/b0cfe181/attachment.html>


More information about the dmarc-discuss mailing list