Dave Crocker writes: > On 5/10/2016 5:23 PM, John Levine wrote: > >> Should DMARC add a policy setting for whether the domain owner feels that > >> ARC should be used to bypass regular DMARC evaluation? > > > > Please, no. One approach to what we can oversimplify as the mailing > > list problem is to do it from the sending end, with the sender using > > something like conditional double signatures to say mutated messages > > are OK. The other is to provide data that the recipient can use > > to decide these mutations are OK. > > > > ARC is definitely in the latter camp, and it would be painful to > > have both ends arguing about how OK stuff is.
+1 In practice, after April 2014, nobody who thinks about the issue is going to take DMARC policies with less than a grain of salt anyway. Of course they're going to take them *seriously*, but several large sites were already taking "p=reject" as "strong advice" rather than a command *before* AOL and Yahoo! started applying p=reject to mail flows containing millions of non-transactional messages. ARC is going to get slow uptake anyway, from the point of view of mailing list owners. We're going to depend on people trusting our signature more than Yahoo!'s in any case. > ARC, ultimately, relies on having the receiver trust assertions made by > the first ARC signer. Things get easier for the receiver if they see a > statement by the domain owner saying "don't bother with ARC". Why do you think so? As far as I can see, you (as receiver) end up in the same boat as with "p=reject": it's going to be applied to non-transactional mail flows that your users want to receive, and you're not going to deny them if you assess that the risk is low based on other evidence. An ARC Seal from a site with a high trust level surely makes a big difference there. Steve _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
