[dmarc-discuss] A bit quiet?

Shal Farley shalf at CheshireEng.com
Mon Oct 26 21:22:46 PDT 2015

Scott Kitterman wrote:

> Who adds the ARC stamp? Perhaps I read it wrong, but I read it as being 
> added by the intermediary and not the originator (previous hop).

That's correct.

> If I read it right, anyone can create an ARC stamp claiming to have 
> received authenticate (e.g. DKIM signed) mail from my domain.  

Correct, but unlike a received header, that bad actor has identified themselves by way of their signature on the claim. Having this stronger identification of the intermediaries is a key feature of ARC. 

By itself though the identification is not enough - it doesn't tell the receiver that the claim is false; the receiver must independently assess the trustworthiness of each ARC intermediary, by way of a reputation system or otherwise. The hope is that having a strong and automated way to identify the intermediaries will make creation and maintenance of the reputation system simpler, and increase its accuracy.

So in the end the receiver is holding a message, which by content analysis or otherwise it classifies for delivery. If the content classification is strongly negative not even passing DMARC is intended to override the classification (and certainly ARC results on a failing DMARC shouldn't). But that negative classification can drive the reputation engine. With a weak content classification result the ARC chain evaluation MAY be used to guide the local decision, leading to an override of the p=reject or not.

-- Shal

More information about the dmarc-discuss mailing list