In article <dcc265f9-a143-5093-eba0-94ee059c7...@mtcc.com> you write: >If I'm a receiver who is going to be making some filtering decisions >based on ARC, I see that it passed by some authenticator along the way >which is fine, but my question is why I should trust that intermediary >in general?
The short answer is that you shouldn't, any more than you should trust random DKIM signatures. When people were designing ARC, it seemd overcomplicated to me. Large mail systems know where all the mailing lists are so why not just whitelist them and be done with it? The answer is that legit lists leak a lot of spam and it is common for a formerly well-behaved list to start spewing spam. Most lists do little filtering beyond verifying that the From: address is a subscriber, so when a spambot steals an address book that contains both the list address and some subscribers to that list, a lot of spam leaks through. ARC lets recipient systems do retroactive filtering that the forwarding system didn't. For example, although the overall error rate of rejecting mail due to SPF -all or DMARC p=reject can be high, on incoming mail to mailing lists both are quite reliable since the kind of forwarding that breaks them is rare in that context. If I ever get around to adding ARC checks to my filters, that's the sort of thing I'll be looking for. This also means that ARC isn't useful if you don't have a reputation system to tell you where the lists and other forwarders that might add legit ARC signatures are. There's been some handwaving about how we might come up with shared DNSWLs of mailing list hosts, but it hasn't happened yet. R's, John _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc