[dmarc-discuss] A bit quiet?

Franck Martin fmartin at linkedin.com
Sun Oct 25 13:48:03 PDT 2015

On Sun, Oct 25, 2015 at 7:39 AM, Scott Kitterman via dmarc-discuss <
dmarc-discuss at dmarc.org> wrote:

> On October 24, 2015 6:42:46 AM EDT, "J. Gomez via dmarc-discuss" <
> dmarc-discuss at dmarc.org> wrote:
> >On Saturday, October 24, 2015 4:54 AM [GMT+1=CET], Scott Kitterman via
> >dmarc-discuss wrote:
> >
> >> On October 23, 2015 8:37:06 PM EDT, John Levine <johnl at taugh.com>
> >> wrote:
> >> > > From a DMARC perspective, if you know the sender is trustworthy,
> >> > > you do a local override.  ARC doesn't
> >> > > seem to be needed for that.
> >> >
> >> > I have many of the same questions you do, but it is my impression
> >> > that a surprising number of lists behave fine for a long time, then
> >> > some bad guy starts pumping spam through it by impersonating one of
> >> > the subscribers.
> >> >
> >> > ARC should be helpful in that perhaps non-exotic situation.
> >>
> >> Could be.  I certainly don't claim it's not potentially useful.  My
> >> concern is that it seems to be marketed as a solution to the DMARC
> >> mailing list problem and as far as I can tell, its potential utility
> >> is orthogonal to that.
> >
> >Ok, you said "from a DMARC perspective, if you know the sender is
> >trustworthy, you do a local override". But imagine big ESP "A" with
> >hundreds of thousands of users who may subscribe to all kinds of
> >mailing lists of which mailing lists you --as big ESP "B"-- had no
> >previous knowledge and on which you have no a-priori trust.
> >
> >In that scenario, when you as big ESP "B" receive email from such
> >mailing lists addressed to your users, you don't know whether the
> >sender (i.e., the mailing list) is trustworthy because you didn't know
> >anything about him until now, so you cannot do a local override of
> >DMARC in an automated and safe way.
> >
> >But if the big ESP "A" user sent a DKIM signed message to that list,
> >and that list added a ARC seal to the message when it forwarded said
> >message to the list's subscribers, then you --as big ESP "B" and as
> >recipient of said message-- could verify that it is true that said user
> >from big ESP "A" indeed sent that original email addressed to the list,
> >and if the ARC chain is verifiable and goes back to someone you trust
> >then you could begin to put some trust also in the other end of the ARC
> >chain (on its latest iteration), and therefore do a local override of
> >DMARC in an automated and safe way even with email received from
> >senders your didn't know were trustworthy.
> >
> >Am I too off base?
> As described in the drafts, the ARC stamp is applied by the intermediary,
> not the originator, so I don't think that works.
> Even if it did, it's still just another variant of whitelisting, which is
> unlikely to scale very well.  Also, it could really only work for big
> domains. Us little guys don't generate enough traffic to register in the
> big guys reputation systems.
> And this is fine too, you don't need a reputation, you just need to not
have a negative reputation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://dmarc.org/pipermail/dmarc-discuss/attachments/20151025/e76e5ec3/attachment.html>

More information about the dmarc-discuss mailing list