If a domain publishes p=reject, they’re requesting particular handling of a
message they originate. ARC modifies that, which is good for mailing lists
and similar intermediaries, but depends on a list of trusted intermediaries
that is not under the control of the originating domain. That increases the
attack surface for DMARC considerably.
Not if the recipients use ARC reasonably, e.g., only on mail from hosts
with a history of not sending botware, use it to see whether a message was
originally aligned. Anyone who misuses ARC is going to have worse spam
leakage than anyone can fix for them.
The question I have is: Should DMARC have a policy (or policy modifier) that
says, “Do not accept modifications to this message?” In other words, that the
originator values the integrity of their messages over deliverability.
Of course not. That's just the tiny gorillas stamping their teensy feet.
Why would anyone expect that the people publishing that flag actually
understood what it meant? Many will just turn it on because someone said
it's "more secure."
A lot of this boils down to what if some entity sends signed valid DMARC
aligned mail but somehow doesn't mean it, e.g., an internal policy says no
mailing lists but their users participate in lists anyway. If they can't
control their own mail system, it is not anyone else's job to do it for
them.
R's,
John
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
