On Tuesday, February 16, 2016 06:17:27 AM Roland Turner via dmarc-discuss wrote: > Scott Kitterman wrote: > > To > > the extent ARC is useful to mitigate the DMARC mailing list issue, it's > > only useful with additional data inputs that are not public and are not > > feasible for small providers to generate on their own. > > I meant to ask earlier: would you level the same criticism at SMTP, given > that running a useful mail-receiving-server without a solid DNSBL is now > more-or-less infeasible? Does the fact that Spamhaus is already available > free of charge to all of the small guys change this analysis?
The fact that there are high quality services available free/reasonable for a little guy to pay does alter my perspective. At the time DNSBLs were becoming popular/necessary there wasn't the same level of concentration in the market and even going back to open relay lists there's ~always been something anyone on a modest budget could use. > Perhaps the fact that SMTP was developed at a time that abuse was not > widespread gives it a free pass on this front? Presumably you don't argue > that, *because* we're already in a high-abuse environment we should > therefore cease collaboration on any class of solution which happens to > require more data than is either: (a) feasible for small guys to process > usefully, or > (b) available to small guys at all? SMTP has always been, with a little study, been something any competent admin could do. It takes a lot more study and more resources than a decade or two ago, but we haven't, in my opinion, crossed a tipping point where that's not longer possible. So SMTP gets a pass because it's ~always been accessible (I know in the dim reaches of history that wasn't quite always so). I think solutions feasible for one segment of the market (large, small, purple, blue, don't care) are fine to collaborate on as long as people are clear it's a partial solution. > Would the public availability from a trustworthy source of data that makes > it possible to use ARC to decide when to override DMARC policies[1] change > your position? > > - Roland > > 1: I *don't* believe that this would take the form of a whitelist. It's more > like the ability to recognise changes in baseline behaviour by forwarders > who may or may not be ARC signing. I suspect that John Levine's concerns > about whitelists have some strength. It would as that data is the barrier to entry I'm worried about. I think it's actually two lists: 1. Domains good enough you ought to trust to believe what they say in ARC. 2. Domains bad enough you ought to reject their mail if they show up in ARC. I do wonder though if I have the data to toss the message why they didn't in the first place (and if they didn't why I should trust them). So generically, yes, but I'm not certain what the characteristics of such a data source would be. Scott K _______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)