On 11/23/20 6:04 PM, John Levine wrote:
In article <e8e1d300-fbe7-6d10-c15f-30c29ab74...@mtcc.com> you write:
What I'm struggling to understand is what having authenticated auth-res
>from a previous hop helps. this is what i found:
See some of the previous messages. My usual example is a mailing list
message that fails DMARC at the final recipient but passed DMARC (as
recorded in AAR) when it arrived at the list. This lets the final
recipient distinguish between real messages from subscribers and mail
from spambots that happened to scrape both the list address and some
subscribers' address and sends mail to one pretending to be from the
other. (That definitely happens, I've seen it on lists I'm on.)
I agree that the ARC document does not do a great job of explaining that.
It would be kind of nice to understand what gap ARC actually plugs and
why it's important if you ask me. Also: there seem to be a lot of ways
to achieve this, but this one is probably the most complicated one that
I can envision.
If you want to pass the A-R results through multiple rounds of
forwarding, you can't do much less.
Sorry, changing the auth-res to old-auth-res and dkim signing the
message would be completely sufficient, and far easier to understand
with a lot less bloat. All of this hand wringing about dozens of message
manglers in the path before it get to the destination and not be able to
figure out which auth-res was which seems wildly out of proportion for
what the normal case is: 1 message mangler in the path before it arrives
at the receiver's domain. Just like this message right here. That's why
I asked how common that was, which was dismissed, but not answered.
Mike
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
