[dmarc-discuss] A bit quiet?

Shal Farley shalf at CheshireEng.com
Sun Oct 25 23:53:57 PDT 2015


Roland Turner wrote:

> I'd suggest that what ARC solves - if it works - is the entirety of the 
> problems for forwarders who are willing to cooperate but nonetheless 
> wish to modify messages sufficiently to break DKIM, ...

Although I think ARC is a step forward, I think it still leaves list managers with a bit of a conundrum, at least in the near and moderate term: at what point does it make sense for the list service to invest the effort in implementing ARC processing? 

I'm a user (not an employee) of an independent mailing list system[1], and that system follows the fairly typical practice of inserting a list tag in the subject line, and appending a standard footer to each message. Thus breaking the original DKIM signature.

The service has adapted to DMARC in the following way: if the domain of the sender publishes p=reject then the list "takes ownership" of the message by modifying the From: address to be the domain of the list, and providing both SPF and DKIM information which should pass DMARC. Otherwise the list passes the sender's From address unmodified (and its SPF records are moot, for DMARC purposes, as is its DKIM signature due to the domain mismatch).

The conundrum I foresee is that the service can't know which receiving domains have implemented ARC processing - and so can't know whether ARC processing will be effective at getting their messages delivered, that is, effective as compared to taking ownership.

Now it is also true that the service can't know which receiving domains implement DMARC processing, except by way of public announcements or user complaints of non-delivery. But taking ownership based on the sender moots that question. 

So I think ARC is a solution for list managers only if its adoption rate approaches 100% among mail receivers who implement DMARC processing. Maybe that will rapidly be the case, I don't know. It would make sense that any receiver that went to the effort of implementing DMARC processing would go for ARC as well, but until that is true in practice the conundrum remains.

-- Shal
[1] https://groups.io/



More information about the dmarc-discuss mailing list