No might about it -- ARC is only useful with domain reputation. Of course, DKIM
is only useful with domain reputation, as were Domainkeys and IIM, so I don't
see why it's a problem now.
Much of the objective of DomainKeys/IIM/DKIM was to provide a reliable
domain identifier that could be used by a reputation system. They
avoided saying that they were doing anything about spam and phishing.
OTOH, DMARC is explicitly saying that it’s there to do something about
phishing.
It was totally obvious at the time what DKIM was intended for, so I don't
think that's likely to be persuasive. In practice, ARC isn't that bad.
IF you're a really big mail system you can collect your own repuations, if
you're not so big your users probably subscribe to few enough legit ARC
signers that you can manually whitelist them. On my system I think
there's about five. It's not like the general spam problem where you have
a zillion new identifiers every day most of which are spam but a few are
not.
Our choices are to say here's what DMARC does, it has these problems, here's
how to use it for the situations where it works, here's how to sort of mitigate
the ones where it doesn't. Or we can stamp our feet and say DMARC is BAD and
we will not endorse it and NOBODY should use it, and the rest of the mail world
will say isn't that cute, the IETF is having a tantrum.
Or we can say that it’s not ready for standards track yet. The only time I can
think of in this space that we have stamped our feet and said something is BAD
was with ADSP. But I am troubled by the mandatory requirements imposed by
organizations citing an informational RFC, RFC 7489. It makes it seem like
standards track doesn’t mean as much as it should.
Well, ADSP actually was bad, and DMARC has reinvented much of what was bad
about it, but unlike ADSP, it's used by every significant mail system in
the world so we're stuck with it. I have heard somewhere that successful
standards document actual practice even if the practice is not ideal.
It's up to us, we can say nope, not a standard, and people will use it as
a standard, or we can say it's not great but here's the standard, and they
will use it as a standard. I know which one I'd do.
R's,
John
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
