Re: [mailop] DMARC on srs forwarding domains?

Tue, 13 Feb 2024 07:06:09 -0800 

On 02.02.24 16:26, Kai Bojens via mailop wrote:
Skip SRS and implement ARC for forwarded e-mails. This should solve all these problems. 


On 2024-02-04 23:02:31 (+0800), Matus UHLAR - fantomas via mailop wrote:

Does anyone blindly trust ARC signatures from random domains?


I find it a huge difference between DKIM signatures (I sign this 
mail being from my domain) and ARC signature (I sign that this mail 
was received from whitehouse.gov properly verified and signed).


On 05.02.24 07:45, Philip Paeps via mailop wrote:

We don't blindly trust DKIM signatures either.  DKIM is only one signal.


yeah, but validating domain using DKIM is different than verifying ARC.


In practice, in 2024, forwarding predominantly happens on the final 
hop before the mailbox.  The mailbox provider can see that their users 
x, y, and z are receiving a lot of email addressed to 
{x,y,z}@alumni.example.edu, all of it with valid ARC signatures from 
alumni.example.edu.  Given an appropriate sample size, those 
signatures begin to become trustworthy.


I would only use ARC signatures for evaluating BAYES score of such mail.


Mailbox providers can also provide a user interface for marking ARC 
domains as trustworthy.  Similar to how some mailbox providers allow 
users to allowlist their forwarders for SPF checks.



That's my point - until ARC sealer is marked as trusted, its seals are of 
low value, if any.  I can verify DKIM and consider sender to be verified, 
look up in dnsbl/dnswl, but this doesn't apply for ARC signature.



Of course, the largest mailbox providers will continue to feed the 
signal into their opaque reputation machinery, so it's anyone's guess 
what will happen there.


I perhaps could trust sealers listed at:
https://github.com/trusteddomainproject/ARC_Community_Sealers

that are 2 files with 34 domains total, updated 4 and 6 years ago.
... perhaps only the community_sealer_whitelist (11 domains).


I still think implementing SPF and SRS gives more value than ARC.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
There's a long-standing bug relating to the x86 architecture that
allows you to install Windows.   -- Matthew D. Fuller
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop























					Reply via email to