[dmarc-discuss] A bit quiet?

Roland Turner roland.turner at trustsphere.com
Mon Oct 26 02:57:28 PDT 2015


Shal wrote:

> Roland wrote:
>
>> - Forwarders who are large enough to be monitoring deliverability can
>> trivially determine whether their ARC-signing is being successfully
>> validated and/or when receivers trust them enough to accept messages
>> despite failing DMARC.
>
> I see how that is possible when the forwarder has taken "ownership"
> of the message by putting their own domain in the From, but if they do
> ARC signing without taking ownership how do they know anything about
> the receiver's authentication results? I missed any reference to the
> intermediaries getting reports.

DMARC feedback only tells Domain Owners about authentication results, it tells them nothing about deliverability and tells forwarders nothing at all. Assessing deliverability to a receiver requires monitored mailboxes on the receiver in question. The same mechanism will give access to Authentication-Results: headers. Per the above, it's generally only larger forwarders (or originators) who will be doing this.

>>> Now it is also true that the service can't know which receiving domains implement
>>> DMARC processing, except by way of public announcements or user complaints of
>>> non-delivery.
>>
>> This is not entirely correct. DMARC aggregate reports and
>> Authentication-Results: headers both make clear whether (a) a receiver
>> is implementing DMARC and (b) validation is succeeding.
>
> Yes, but those reports go to an address specified by originator's
> DNS records, as I understand it. Not to the intermediary, unless
> the intermediary becomes the originator by putting their own domain
> in the From: of the message.

Apologies, I missed "the service" in your comment so, no DMARC aggregate feedback would not be available. As above, Authentication-Results: access would also require monitored mailboxes in the receivers in question which, as above, is generally only relevant for larger forwarders/originators. Smaller forwarders shouldn't be dropping their workarounds just yet.

- Roland


More information about the dmarc-discuss mailing list