On Fri 24/Sep/2021 14:57:59 +0200 Douglas Foster wrote:
It also highlights the difficulty of being a forwarder. What to do if a message from a DMARC-enforcing domain sends you a message, does not sign it, and it needs to be forwarded? If you forward anyway, the final recipient may block the message, with or without notification, and blame you. You could apply the Zoho defense, and add your own ARC set, which may or may not be recognized and trusted. The forwarder is in a quandary, because the final recipient (a) may ignore DMARC and want the message even without DMARC PASS, (b) may enforce DMARC and ignore ARC, still blocking the message and blaming you, or (c) may enforce DMARC but honor your ARC set and allow the message because of ARC. Without knowledge of the final evaluator behavior, there is no correct answer.
There is a case (d) final receiver enforcea DMARC and ARC, but the forwarder is not among its ARC-trusted senders.
The simple solution if From: rewriting. Note that forwarders should always rewrite the bounce address, for SPF. Instead, rewriting From: can be restricted to unsigned messages from hard-policy domains. It works regardless of ARC implementations.
Best Ale -- _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
