On Sun, Oct 25, 2015 at 7:39 AM, Scott Kitterman via dmarc-discuss < dmarc-discuss@dmarc.org> wrote:
> > > On October 24, 2015 6:42:46 AM EDT, "J. Gomez via dmarc-discuss" < > dmarc-discuss@dmarc.org> wrote: > >On Saturday, October 24, 2015 4:54 AM [GMT+1=CET], Scott Kitterman via > >dmarc-discuss wrote: > > > >> On October 23, 2015 8:37:06 PM EDT, John Levine <jo...@taugh.com> > >> wrote: > >> > > From a DMARC perspective, if you know the sender is trustworthy, > >> > > you do a local override. ARC doesn't > >> > > seem to be needed for that. > >> > > >> > I have many of the same questions you do, but it is my impression > >> > that a surprising number of lists behave fine for a long time, then > >> > some bad guy starts pumping spam through it by impersonating one of > >> > the subscribers. > >> > > >> > ARC should be helpful in that perhaps non-exotic situation. > >> > >> Could be. I certainly don't claim it's not potentially useful. My > >> concern is that it seems to be marketed as a solution to the DMARC > >> mailing list problem and as far as I can tell, its potential utility > >> is orthogonal to that. > > > >Ok, you said "from a DMARC perspective, if you know the sender is > >trustworthy, you do a local override". But imagine big ESP "A" with > >hundreds of thousands of users who may subscribe to all kinds of > >mailing lists of which mailing lists you --as big ESP "B"-- had no > >previous knowledge and on which you have no a-priori trust. > > > >In that scenario, when you as big ESP "B" receive email from such > >mailing lists addressed to your users, you don't know whether the > >sender (i.e., the mailing list) is trustworthy because you didn't know > >anything about him until now, so you cannot do a local override of > >DMARC in an automated and safe way. > > > >But if the big ESP "A" user sent a DKIM signed message to that list, > >and that list added a ARC seal to the message when it forwarded said > >message to the list's subscribers, then you --as big ESP "B" and as > >recipient of said message-- could verify that it is true that said user > >from big ESP "A" indeed sent that original email addressed to the list, > >and if the ARC chain is verifiable and goes back to someone you trust > >then you could begin to put some trust also in the other end of the ARC > >chain (on its latest iteration), and therefore do a local override of > >DMARC in an automated and safe way even with email received from > >senders your didn't know were trustworthy. > > > >Am I too off base? > > As described in the drafts, the ARC stamp is applied by the intermediary, > not the originator, so I don't think that works. > > Even if it did, it's still just another variant of whitelisting, which is > unlikely to scale very well. Also, it could really only work for big > domains. Us little guys don't generate enough traffic to register in the > big guys reputation systems. > > And this is fine too, you don't need a reputation, you just need to not have a negative reputation.
_______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)