[dmarc-discuss] A bit quiet?

Scott Kitterman sklist at kitterman.com
Sun Oct 25 07:39:37 PDT 2015



On October 24, 2015 6:42:46 AM EDT, "J. Gomez via dmarc-discuss" <dmarc-discuss at dmarc.org> wrote:
>On Saturday, October 24, 2015 4:54 AM [GMT+1=CET], Scott Kitterman via
>dmarc-discuss wrote:
>
>> On October 23, 2015 8:37:06 PM EDT, John Levine <johnl at taugh.com>
>> wrote: 
>> > > From a DMARC perspective, if you know the sender is trustworthy,
>> > > you do a local override.  ARC doesn't
>> > > seem to be needed for that.
>> > 
>> > I have many of the same questions you do, but it is my impression
>> > that a surprising number of lists behave fine for a long time, then
>> > some bad guy starts pumping spam through it by impersonating one of
>> > the subscribers.
>> > 
>> > ARC should be helpful in that perhaps non-exotic situation.
>> 
>> Could be.  I certainly don't claim it's not potentially useful.  My
>> concern is that it seems to be marketed as a solution to the DMARC
>> mailing list problem and as far as I can tell, its potential utility
>> is orthogonal to that.
>
>Ok, you said "from a DMARC perspective, if you know the sender is
>trustworthy, you do a local override". But imagine big ESP "A" with
>hundreds of thousands of users who may subscribe to all kinds of
>mailing lists of which mailing lists you --as big ESP "B"-- had no
>previous knowledge and on which you have no a-priori trust.
>
>In that scenario, when you as big ESP "B" receive email from such
>mailing lists addressed to your users, you don't know whether the
>sender (i.e., the mailing list) is trustworthy because you didn't know
>anything about him until now, so you cannot do a local override of
>DMARC in an automated and safe way.
>
>But if the big ESP "A" user sent a DKIM signed message to that list,
>and that list added a ARC seal to the message when it forwarded said
>message to the list's subscribers, then you --as big ESP "B" and as
>recipient of said message-- could verify that it is true that said user
>from big ESP "A" indeed sent that original email addressed to the list,
>and if the ARC chain is verifiable and goes back to someone you trust
>then you could begin to put some trust also in the other end of the ARC
>chain (on its latest iteration), and therefore do a local override of
>DMARC in an automated and safe way even with email received from
>senders your didn't know were trustworthy.
>
>Am I too off base?

As described in the drafts, the ARC stamp is applied by the intermediary, not the originator, so I don't think that works.

Even if it did, it's still just another variant of whitelisting, which is unlikely to scale very well.  Also, it could really only work for big domains. Us little guys don't generate enough traffic to register in the big guys reputation systems.

Scott K


More information about the dmarc-discuss mailing list