Hi all, We've been making use of ARC to help with forwarded mail. One thing we've noticed is differences for when some forwarders generate the ARC headers. Another concern is that we've seen spammers attempt to manipulate ARC headers. 1) ARC could benefit from more refinement of interop such as when to generate ARC headers e.g. if the message appears spammy? and how should the ARC-Authentication-Results be reported if there is a local policy override? Would it be helpful to clarify this with a BCP? 2) Considerations on what to do about ARC header spoofing and replay. I have an I-D https://datatracker.ietf.org/doc/draft-chuang-replay-resistant-arc/ that outlines some ideas on mitigating that (particularly the "SeRCi" idea) as one starting point. (In case it matters I should point out the DARA idea in the draft is more oriented towards DKIM). -Wei
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc