Re: [dmarc-ietf] DMARC and ARC

"Murray S. Kucherawy" <> Mon, 07 December 2020 05:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A05C33A100D for <>; Sun, 6 Dec 2020 21:15:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9c03YABzWLJa for <>; Sun, 6 Dec 2020 21:15:46 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::931]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E4A2E3A100C for <>; Sun, 6 Dec 2020 21:15:45 -0800 (PST)
Received: by with SMTP id s23so1232382uaq.10 for <>; Sun, 06 Dec 2020 21:15:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Qfrpw2o6kFZx4+WoOa9W9LA1ckoTGUPZWHp2ROCoQ8s=; b=qAUciJrke/o+VBIjm0EzbTaNgmWv/z6vYswbiClFpcPzmH3lZbVXaVwXSBkW314+kW F886BRBBNjiQyjwW6JjMXMctcMdFNOZ/DjOBplpxdIw3VcCadQdN1V/pe/5sbGfD/qHq kCDhp5e30lNl4WW0s3x6I/uqp3112ZjSGz2BPBd9HMmLL/ee7Z1sdbFrXpsdrD7S4kG4 fE4BOM10QE5jfmPMa9quaBzkh7pavrRr67n+LsnfSoSL/m4EwVN/UjP7u6psVuiPpfpc cDhlluY+DnLWQam/P9U7pPIeuEbRHWqioxqMbHfJyy6pXek9az0seeKxJO8ensCUjNmD jfkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Qfrpw2o6kFZx4+WoOa9W9LA1ckoTGUPZWHp2ROCoQ8s=; b=Gs1R9bAE+/eRcAYEx0fbKul6OQtVNnGL/r+UYlDNAJWUoQm/tCVJ1/uuVvAULwNCtT igknaKthg6274venWhxLRvtMuxpWBAIHVx3apauHT3QG2EXzhbVV/FXtK2FxhH9U4azg eRm9py+jX5Uk41tx/Ywdwdhv1Ggz6b5YYtBu3AmeyAwNt6wijYEa3fC0h9gaRzKoMVas 59KKLJ8KClO1SITf1s32kF0UFZhL0mC/5QLURXYq4tOki9vnKnTwKiICHbaR1twcFtuN ZF1mxr4+1HEa4VGx7V5MmxKt+fkIySVuTyOAmrZiB0XKmhyhtkrGyqKHzU4ahFNenIof TqKA==
X-Gm-Message-State: AOAM533Au6zQqO0+hS6+Nbd48j74Ai+PciQBnhBKjeQiCRqIURWP9it9 /Zs81CZE+VM604Y/3/zExYV/b7RMigw1U29Sx7udUK4+
X-Google-Smtp-Source: ABdhPJxcMuktbHy2VPHOB8EkSHF44k9vcqjEsl9G99VmRWPH6GPDNcnQp0uhv/BrXw/xPDgQB3wMKsufUP9vDhxqdRw=
X-Received: by 2002:ab0:2997:: with SMTP id u23mr4965951uap.67.1607318144661; Sun, 06 Dec 2020 21:15:44 -0800 (PST)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: "Murray S. Kucherawy" <>
Date: Sun, 6 Dec 2020 21:15:32 -0800
Message-ID: <>
To: Douglas Foster <>
Content-Type: multipart/alternative; boundary="0000000000000dbac405b5d8eb1a"
Archived-At: <>
Subject: Re: [dmarc-ietf] DMARC and ARC
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 07 Dec 2020 05:15:48 -0000

On Fri, Dec 4, 2020 at 7:58 PM Douglas Foster <> wrote:

> First, lets begin with the obvious:   malicious messages come from
> enterprises that are in the malicious message business.   They rarely send
> just one message, and their content changes continually.   Therefore, my
> priority is to block malicious sources.   Messages that are correctly
> blocked on content, rather than source, are the canary-in-the-mine which
> warns me that my sender blocks need to be tightened.

I was under the impression from my work in the anti-spam world that sources
also change.  It's trivial to come from a new IP address or sign with a new
domain name when I think you're blocking me.  Thus, negative reputations
are generally not useful to accumulate long term.  On the contrary, the
thing that's mostly reliable is static sources that have good reputations,
because they tend to remain (mostly) static, and they work to preserve
their reputations.  I tend to give them preferential treatment.

If a message is not forwarded, every organization involved in its delivery
> is assumed to have a relationship to the sender and therefore a shared
> responsibility for the final product.   DMARC, SPF, and many spam filters
> assume that the adjacent MTA is the only source that needs to be evaluated.
This seems overly general.  A message going from A to B to C to me here at
Gmail means Gmail has a relationship with A?

Forwarding introduces an intermediary organization which presumably
> operates on behalf of the recipient, rather than the sender.   It is not
> involved in the creation of the message and has no economic relationship
> with most of the message sources.   More importantly, because it will be
> forwarding messages from sources with a variety of reputations, the
> forwarder will be perceived as having a very unreliable reputation –
> sending both very much unwanted content and very much wanted content from
> the same or overlapping identifiers.   SPF and DMARC force the forwarder to
> reliably identify itself, but in this process, they force the forwarder to
> hide information that the receiving MTA needs for proper message
> filtering.  This aggravates any effort to filter based on original-source
> identity.
I'm also confused here, because it's ambiguous what you mean by Forwarder.
Some forwarders simply replace the envelope and send the message on its way
with no body modifications and only trace header field changes.  They don't
meet the definition you're describing because no details are hidden.
Others, like MLMs, may mutate the message and re-post it, but I would argue
that's not forwarding, that's a new message; the list is the originator.