On Mon, Apr 3, 2017 at 5:42 PM, Murray S. Kucherawy <superu...@gmail.com> wrote:
> On Mon, Apr 3, 2017 at 5:36 PM, Steven M Jones <s...@crash.com> wrote: > >> My POV, there is a strong 1:1 correlation between a set of ARC headers >> and a given ADMD. In this world view, the A-A-R would *not* collect all A-R >> values from all preceding ADMDs. >> > > It depends on what the goal is. If you only want to record what the ADMD > itself directly evaluated, your proposal is fine. If you want to record > what the ADMD thinks prior ADMDs claimed (e.g., GMail saying "Yahoo! claims > this was fine when they got it"), then we must go deeper. But I don't know > if that's what's actually needed, or would even be useful, or how one would > evaluate the meaning of such an indirect claim without a lot of reputation > data. > > Knowing what the previous ADMD thought is explicitly a goal of ARC. The theory is, the first hop said that it was from yahoo.com and DKIM signature matched, and then the mailing list changed it so the DKIM signature is now broken, but I believe that the first hop was accurate, so I will bypass DMARC reject. Does it need to be included at every hop? Well, what if it goes through a mailing list at @google.com which does rewrite it to @google.com and DKIM signs it to pass, then another hop which rewrites all of the links to use Proofpoint's "smart malware redirector", so it would fail DMARC for a domain that wasn't the original domain or evaluation. The proposal which led to this, X-Original-Authentication-Results, was basically a way to pass a single AuthRes header forward (in our impl, it is only believed if it is covered by our X-Google-DKIM-Signature, ARC extends this to handling multiple hops. Brandon
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
