On Tue 28/Sep/2021 13:04:19 +0200 Douglas Foster wrote:
Stated another way, the problem with ARC is that it requires the evaluator to attribute a positive reputation to the forwarder, in a context where even identifying the forwarder can be difficult.
Exactly. To use ARC you need to be a global mailbox provider; that is, have a perfect knowledge of mail servers worldwide. Note that you don't need ARC or DMARC to stop phishing if you are in such position.
Most email is accepted on a much weaker criteria - the absence of negative reputation.
That's not so reliable, because 0-day debutantes would escape that filter.
Mailing lists actually deserve an above-average reputation, because their messages are pre-filtered based on identity and content before being forwarded. But because they preserve the author address, list messages appear to be a random mail stream containing normal threat risks. From-rewriting of all list messages would allow the list to be evaluated based on the list reputation, rather than the random reputations of the list members.
I don't think so. In fact, at the time being, global providers are the only ones who are able to maintain a reliable reputation database. Using ARC, they could ascribe to the list the reputation it deserves, irrespective of From: rewriting.
Besides lists, many forwarders do some filtering on what they forward. With 20/20 global sight, ARC users can accurately reckon the reputation of the forwarder as well as that of the author's domain. IMHO, maintaining reputation databases that way is the only good use one can make of ARC. You can ARC-sign a message to enforce authentication without claiming "some responsibility" (or claiming less responsibility) for it.
Best Ale -- _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
