Murray S. Kucherawy writes: > Some sort of contract or agreement between sender and receiver > seems to me to be unavoidable if we want to leverage ARC without > having a global domain reputation system. We don't have a > precise method to do that. We need to experiment and > standardize something to that extent, which I hope this WG can > do after publishing -bis. > > I know what "contract" means abstractly, but what does this actually > look like to someone that's looking for specific guidance? The text > you have here, by itself, is vague and I don't think many operators > will know what to do with it.
For example Fastmail [1] includes per user account configuration that lists "Forwarding hosts", which affect how they do spam filtering and whether they trust ARC or not (they do have global trusted ARC list also). The M3AAWG forwarding whitepaper will propose that all mailbox providers should include similar setting, i.e., allow users to configure which hosts to trust for ARC. It was already pointed out that forwarding does not happen out of blue, there is always the user setting it up, i.e., joining the mailing list, providing the email address for alumni forwarding etc. When user does that it would also be easy for him to go to the account settings of whatever mailbox provider he uses and add that ARC host there. The mailbox provider could even detect that user is getting emails that are been forwarded and which have ARC headers, and they could even ask similar question they do now when you move mails away from spam folder, i.e., "Not spam", "This email has valid ARC signature for alumni.university.edu, have you configured this organization for forwarding emails to you, and if so do you trust this organization for doing mail authentication checks on behalf of us". What ARC really offers is that if there is ARC header from organization you trust, you can check the ARC-Authentication-Results and use them in addition to your own checks. If for example that header says SPF was pass, and you trust that domain, then you can trust that it properly did SPF checks and you can consider using ARC SPF pass as SPF pass for the email, even when it is now failing. I do not think there will ever be global trusted ARC signers list, as I do for example want to trust certain organizations / countries, and there is no point of me trusting for example microsoft.com ARC signatures, as there should not be forwarders in microsoft that should be forwarding emails to me. If there is ARC header signed by microsoft that header does not have any value for me, but will have some value for some other people. Simiarly I will trust iki.fi (non profit email forwarding service in Finland that will forward all emails I receive to my actual mailbox), but there is no point of you personally to trust iki.fi ARC signatures. Mailbox provides might want to trust iki.fi as one of our 30000 members might be using your services, thus adding iki.fi to trusted forwarders makes thins easier for iki.fi members. [1] https://www.fastmail.help/hc/en-us/articles/360060591413-Spam-filtering#forwarding -- kivi...@iki.fi _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc