[dmarc-discuss] A bit quiet?

Scott Kitterman sklist at kitterman.com
Sun Oct 25 15:02:10 PDT 2015



On October 25, 2015 4:48:03 PM EDT, Franck Martin <fmartin at linkedin.com> wrote:
>On Sun, Oct 25, 2015 at 7:39 AM, Scott Kitterman via dmarc-discuss <
>dmarc-discuss at dmarc.org> wrote:
>
>>
>>
>> On October 24, 2015 6:42:46 AM EDT, "J. Gomez via dmarc-discuss" <
>> dmarc-discuss at dmarc.org> wrote:
>> >On Saturday, October 24, 2015 4:54 AM [GMT+1=CET], Scott Kitterman
>via
>> >dmarc-discuss wrote:
>> >
>> >> On October 23, 2015 8:37:06 PM EDT, John Levine <johnl at taugh.com>
>> >> wrote:
>> >> > > From a DMARC perspective, if you know the sender is
>trustworthy,
>> >> > > you do a local override.  ARC doesn't
>> >> > > seem to be needed for that.
>> >> >
>> >> > I have many of the same questions you do, but it is my
>impression
>> >> > that a surprising number of lists behave fine for a long time,
>then
>> >> > some bad guy starts pumping spam through it by impersonating one
>of
>> >> > the subscribers.
>> >> >
>> >> > ARC should be helpful in that perhaps non-exotic situation.
>> >>
>> >> Could be.  I certainly don't claim it's not potentially useful. 
>My
>> >> concern is that it seems to be marketed as a solution to the DMARC
>> >> mailing list problem and as far as I can tell, its potential
>utility
>> >> is orthogonal to that.
>> >
>> >Ok, you said "from a DMARC perspective, if you know the sender is
>> >trustworthy, you do a local override". But imagine big ESP "A" with
>> >hundreds of thousands of users who may subscribe to all kinds of
>> >mailing lists of which mailing lists you --as big ESP "B"-- had no
>> >previous knowledge and on which you have no a-priori trust.
>> >
>> >In that scenario, when you as big ESP "B" receive email from such
>> >mailing lists addressed to your users, you don't know whether the
>> >sender (i.e., the mailing list) is trustworthy because you didn't
>know
>> >anything about him until now, so you cannot do a local override of
>> >DMARC in an automated and safe way.
>> >
>> >But if the big ESP "A" user sent a DKIM signed message to that list,
>> >and that list added a ARC seal to the message when it forwarded said
>> >message to the list's subscribers, then you --as big ESP "B" and as
>> >recipient of said message-- could verify that it is true that said
>user
>> >from big ESP "A" indeed sent that original email addressed to the
>list,
>> >and if the ARC chain is verifiable and goes back to someone you
>trust
>> >then you could begin to put some trust also in the other end of the
>ARC
>> >chain (on its latest iteration), and therefore do a local override
>of
>> >DMARC in an automated and safe way even with email received from
>> >senders your didn't know were trustworthy.
>> >
>> >Am I too off base?
>>
>> As described in the drafts, the ARC stamp is applied by the
>intermediary,
>> not the originator, so I don't think that works.
>>
>> Even if it did, it's still just another variant of whitelisting,
>which is
>> unlikely to scale very well.  Also, it could really only work for big
>> domains. Us little guys don't generate enough traffic to register in
>the
>> big guys reputation systems.
>>
> And this is fine too, you don't need a reputation, you just need to
> not have a negative reputation.

So the idea is that arbitrary data added from an untrusted sender (unknown reputation) is sufficient to override DMARC p=reject?

Scott K


More information about the dmarc-discuss mailing list