>For a service at this scale, you'd need to only do this for places where >you "trust" their Authentication-Results header. There is a potential >issue of conflicting AR headers, which is one benefit of the OAR. > >Its not clear to me that gmail.com needs to tell another service to trust >the OAR from a given third party, the choice to trust that service could >easily be up to the receiving service.
Good point. That's why I keep saying that one or a few shared DMARC-bypass whitelists would work a lot better than anything per-sender. The set of senders where it makes sense to skip DMARC checks for Yahoo or AOL or Gmail addresses are likely to be the same. Also, considering the complete lack of interest that two large mail providers have shown in mitigating the costs of their DMARC policy decisions, it seems pretty unlikely that they'd implement anything like this for their own domains. >Finally, doesn't this imply a potentially large number of DNS queries? For per-user lists, hard to say. For a shared list, it should be insignificant, no more than one per message. R's, John _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
