On Monday, June 15, 2020 2:19:22 PM EDT Jesse Thompson wrote: > On 6/15/20 12:44 PM, John Levine wrote: > > In article <1ef0572d-a83c-ad97-9c0d-5f5615ab1...@wisc.edu> you write: > > They both claim they're working on ARC. > > > >> So, solution 1.3 has been naturally selected. Does it need to be > >> standardized, or is a BCP good enough? I'd still like to see a solution > >> for receivers to "un-munge" trustworthy messages in a safe and > >> consistent way. Is that where ARC comes in? > > > > No. ARC lets mail systems accept list mail without munging. > > How will a random intermediary know if random destination has implemented > ARC and will trust their claim? Even domains hosted by SaaS providers will > have their own ARC reputation to manage, and might have to do things like > configure munging on a per-recipient/domain basis, assuming the SaaS > provider grants that level of control. It's safer and easier to munge > everything.
They won't. Bypassing DMARC based on ARC requires some level of trust in the source of the message. > Even if you ignore my line of reasoning, I think that Ale made in the OP a > compelling case that the practice of From rewriting is here to stay. As a practical matter, that's certainly true for the short to medium term, but it doesn't follow that the IETF should standardize the practice. To follow-up on Brandon's note about Google's use of ARC, it's bigger than mailing lists and so is this problem. It's any intermediary that modifies a message in such a manner that DKIM fails (SPF is only useful for direct source ADMD to destination ADMD tranmissions). I suspect that by hyper focusing on mailing lists, we're missing part of the problem. Scott K _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc