On Tue 21/Jun/2022 15:40:51 +0200 John Levine via mailop wrote:
According to Alessandro Vesely via mailop <ves...@tana.it>:
"Some responsibility" is quite a long way from "ownership". It was phrased to
refer to any sort of handling or even analysis involvement.
Yet, ARC sounds like a way to permit an organization to claim /somewhat less/
responsibility for a message.
People who should know have told me that the main use case for ARC is
to deal with poor spam filtering on mailing lists. It is pretty common
for lists to forward all the mail that arrives with a subscriber's
address on the From: line with little if any further filtering. That
works fine except when it doesn't, either a subscriber's account is
compromised or more commonly someone else's address book got stolen
and spam happens to put the subscriber's address on the From: line and
the list on the To:.
It would be enough to have all subscribers set p=reject in order to prevent
that kind of spoofing. Unfortunately, one cannot set different policies for
different recipients, and setting p=reject for all sounds hazardous.
ARC allows subsequent recipients to look back and do retroactive
filtering. For most purposes it would be adequate if you know the
sources that send list mail (large systems all do, small ones generally
don't have very many) and allow mail with DMARC failures if the ARC
chain says the DMARC was valid on the way in.
The same is true for plain forwarding.
Mail forwarded by gmail, for example, has an X-Google-DKIM-Signature but is not
otherwise DKIM-signed. It is ARC-sealed. (Brandon Long explained why a couple
of years ago[*]). If plain forwarding exceeds mailing list traffic, we could
say the main use case is this.
Best
Ale
--
[*] https://mailarchive.ietf.org/arch/msg/dmarc/4luaOQ9ZOALnHkc7TPbeA5Yru7Y
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop