On October 25, 2015 4:48:03 PM EDT, Franck Martin <fmar...@linkedin.com> wrote: >On Sun, Oct 25, 2015 at 7:39 AM, Scott Kitterman via dmarc-discuss < >dmarc-discuss@dmarc.org> wrote: > >> >> >> On October 24, 2015 6:42:46 AM EDT, "J. Gomez via dmarc-discuss" < >> dmarc-discuss@dmarc.org> wrote: >> >On Saturday, October 24, 2015 4:54 AM [GMT+1=CET], Scott Kitterman >via >> >dmarc-discuss wrote: >> > >> >> On October 23, 2015 8:37:06 PM EDT, John Levine <jo...@taugh.com> >> >> wrote: >> >> > > From a DMARC perspective, if you know the sender is >trustworthy, >> >> > > you do a local override. ARC doesn't >> >> > > seem to be needed for that. >> >> > >> >> > I have many of the same questions you do, but it is my >impression >> >> > that a surprising number of lists behave fine for a long time, >then >> >> > some bad guy starts pumping spam through it by impersonating one >of >> >> > the subscribers. >> >> > >> >> > ARC should be helpful in that perhaps non-exotic situation. >> >> >> >> Could be. I certainly don't claim it's not potentially useful. >My >> >> concern is that it seems to be marketed as a solution to the DMARC >> >> mailing list problem and as far as I can tell, its potential >utility >> >> is orthogonal to that. >> > >> >Ok, you said "from a DMARC perspective, if you know the sender is >> >trustworthy, you do a local override". But imagine big ESP "A" with >> >hundreds of thousands of users who may subscribe to all kinds of >> >mailing lists of which mailing lists you --as big ESP "B"-- had no >> >previous knowledge and on which you have no a-priori trust. >> > >> >In that scenario, when you as big ESP "B" receive email from such >> >mailing lists addressed to your users, you don't know whether the >> >sender (i.e., the mailing list) is trustworthy because you didn't >know >> >anything about him until now, so you cannot do a local override of >> >DMARC in an automated and safe way. >> > >> >But if the big ESP "A" user sent a DKIM signed message to that list, >> >and that list added a ARC seal to the message when it forwarded said >> >message to the list's subscribers, then you --as big ESP "B" and as >> >recipient of said message-- could verify that it is true that said >user >> >from big ESP "A" indeed sent that original email addressed to the >list, >> >and if the ARC chain is verifiable and goes back to someone you >trust >> >then you could begin to put some trust also in the other end of the >ARC >> >chain (on its latest iteration), and therefore do a local override >of >> >DMARC in an automated and safe way even with email received from >> >senders your didn't know were trustworthy. >> > >> >Am I too off base? >> >> As described in the drafts, the ARC stamp is applied by the >intermediary, >> not the originator, so I don't think that works. >> >> Even if it did, it's still just another variant of whitelisting, >which is >> unlikely to scale very well. Also, it could really only work for big >> domains. Us little guys don't generate enough traffic to register in >the >> big guys reputation systems. >> > And this is fine too, you don't need a reputation, you just need to > not have a negative reputation.
So the idea is that arbitrary data added from an untrusted sender (unknown reputation) is sufficient to override DMARC p=reject? Scott K _______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
