On 2024-02-04 23:02:31 (+0800), Matus UHLAR - fantomas via mailop wrote:
Am 02.02.24 um 16:08 schrieb Mark E. Jeftovic via mailop:
We're having a bit of a theological debate internally on whether to
implement DMARC on our SRS forwarder domains.
On 02.02.24 16:26, Kai Bojens via mailop wrote:
Skip SRS and implement ARC for forwarded e-mails. This should solve
all these problems.
Does anyone blindly trust ARC signatures from random domains?
I find it a huge difference between DKIM signatures (I sign this mail
being from my domain) and ARC signature (I sign that this mail was
received from whitehouse.gov properly verified and signed).
We don't blindly trust DKIM signatures either. DKIM is only one signal.
In practice, in 2024, forwarding predominantly happens on the final hop
before the mailbox. The mailbox provider can see that their users x, y,
and z are receiving a lot of email addressed to
{x,y,z}@alumni.example.edu, all of it with valid ARC signatures from
alumni.example.edu. Given an appropriate sample size, those signatures
begin to become trustworthy.
Mailbox providers can also provide a user interface for marking ARC
domains as trustworthy. Similar to how some mailbox providers allow
users to allowlist their forwarders for SPF checks.
Of course, the largest mailbox providers will continue to feed the
signal into their opaque reputation machinery, so it's anyone's guess
what will happen there.
Philip
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop