Our solution approach is binary: either we fix the list problem by doing less authentication, which is Barry's proposal, or we fix the list problem by doing alternate authentication. Alternate authentication is the one we need to pursue, because the other approach has already been rejected by too many participants.
List traffic needs to be evaluated based on the list's own reputation. The MailFrom address cannot accomplish this result on its own. From munging provides the necessary trigger to ensure that all evaluators will use the list domain reputation. There is upward and backward compatible with all evaluators. The secondary but largely independent problem is the user experience caused by From munging. Until recently, we had no solution to this. We also had the related objection that From munging fixes DMARC by deception. ARC addresses both of these issues. ARC provides the information needed to reverse the munging, which means that evaluators can solve the user experience problem. ARC also provides data so that the forwarding event is well documented, so there is no deception. >From munging does mean that the list takes full responsibility for the message, and consequently the list takes the reputation hit if unwanted traffic is forwarded. Some posts have suggested that lists think they can presently dodge that risk somehow. I say they bear that risk already. Ideally, all forwarding should be pre-approved. The forwarder needs to know that the traffic is wanted and will be accepted. So we need more than From munging and ARC-derived un-munging. But this combination is a start. Doug On Sun, Jul 9, 2023, 12:27 AM Murray S. Kucherawy <superu...@gmail.com> wrote: > On Fri, Jul 7, 2023 at 6:35 PM Douglas Foster < > dougfoster.emailstanda...@gmail.com> wrote: > >> Consequently, the problem remains: How does an evaluator distinguish >> between a legitimate list and a malicious attack? >> > > If we had a reliable answer to that, this would've been over ages ago. > Unfortunately, any mechanism we create for lists to distinguish their > traffic can be trivially co-opted by bad actors. > > >> My answer: Lists need to use From munging to avoid DMARC FAIL, and hope >> that sophisticated evaluators will use ARC data to un-mung before delivery. >> > > Someone else asserted that lists have been dealing with DMARC damage by, > among other things, rewriting From fields for some years now. Let me pose > a couple of questions to list operators and developers and those friendly > to those audiences: > > 1) Are list operators and developers tolerating this situation, > temporarily, because they think this crew is going to come up with a less > disruptive permanent solution to which they expect to migrate one day? > > 2) If not, have they resigned themselves to such things as From rewriting > as the way of the future? > > 3) If so, how big (or small) is the set of DMARC accommodations on which > they seem to be converging? > > -MSK, participating >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
