[dmarc-ietf] Re: Proposed Recharter to Conclude the ARC Experiment

Mon, 23 Feb 2026 09:45:24 -0800 

On Sun 22/Feb/2026 02:27:06 +0100 Richard Clayton wrote:

In message <CAH48Zfwx0eSOEof9V73j+omeyph2=pcv0wrb3fhvnoaajnc...@mail.gmail.com>, 
Douglas Foster <[email protected]> writes
Auto-forwarding creates reputation risk and information leakage risk to the forwarding organization, so it should be approved by sending domain administration.
for large sending systems (and most smaller ones) that just isn't going to happen... there is a proposal floating around (which may make it to the IETF in due course) to authenticate sign-ups to newsletters &c which will be valuable, but that is in a different space 


That's interesting.  Any pointer?



[...]


On Sat, Feb 21, 2026 at 9:08AM Tero Kivinen <[email protected]> wrote:



Such trust does not exists.
I am a great believer in NSA's definition of trust .. a trusted component is one that will screw you over when it breaks. 


:-)
Hence trust is not something to aim for, but something to avoid whenever that might be possible. 

Yet, global trust is what ARC specification aimed to since the beginning.

In Aug 2020, Todd wrote to arc-discuss:

    As to why you would trust the mailing list server, in my opinion, that's
    one of the bigger challenges that the community is still wrestling with.
    ARC is an attempt to capture authentication check results observed in
    transit for a message, with the goal being to mitigate failures that might
    occur due to the message transiting multiple hops, and ensure that messages
    that pass through mailings list or other intermediaries can still be
    accepted. Whether to trust ARC header sets, however, is an individual
    decision for each domain to make, and there's no consensus white list at
    this time.
And that's precisely why ARC failed. But it is not trust in general that should be avoided. There's no point in verifying a signature if it doesn't provide any trust signal. The type of trust Tero claims doesn't exist is the one tied to global reputation. Large providers handle different types of mailing; you cannot trust everyone or no one. There should be specific agreements that signatures reference. 


Best
Ale
--





_______________________________________________
dmarc mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to