Scott Kitterman <skl...@kitterman.com> writes: > How do you define "First Hop" without enabling spoofers to trivially > bypass DMARC checks by forging more than one hop of headers?
It wouldn't matter. Sensible mailing lists would reject non-first-hop mails for domains with p=validate. Spoofers can still spoof directly, but they cannot use mailing lists to spread their spoofed mails. This is a marked upgrade from p=none which most domains are forced to use at the moment. Then as infrastructure improves, recipients will start to reject incoming non-first-hop mail with p=validate if it does not have a valid ARC header. /Benny _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
