Re: [dmarc-ietf] ARC questions

Todd Herr <> Mon, 23 November 2020 18:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 428143A0C25 for <>; Mon, 23 Nov 2020 10:34:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id i1DwjBaO9D-3 for <>; Mon, 23 Nov 2020 10:34:46 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::836]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 49C053A0C23 for <>; Mon, 23 Nov 2020 10:34:46 -0800 (PST)
Received: by with SMTP id e10so6635258qte.4 for <>; Mon, 23 Nov 2020 10:34:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google2048; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=OHwNXCn4335iUdg7IIse9LBp3Y+nFAMnhqEsdYhrA5I=; b=VUYLfk/dlrDGOa2stMpYDbQqECfl8KSqZle4iwRvmrnBIE4Wl9cAipwsVIhIQNYxIw 5EqkUFaLD2WLBSu6d4MybiLAVEqgwiUhoiTj3AVbUZdOKw1Ud/NaRaU3nG1V982/kgkM yQsRTQq+OIg1h/K3g1hfJwMsTRCe1YycJKjeQWlQnFA6f5sgpjieE3xCyNtIadrIouLY qNMnaZL0QcJ/kPSY3NjYf/TLfkKkuNgADWCESNYwKyocounzvjrJVPPRDlowgMyZnERo mz/I2EC6lMhSDRJ3lsZSfQ99ZrMt+1CQouwQ81+Yg6MHvK6vTjRu2c8rvv55HK2wFkw9 UKHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=OHwNXCn4335iUdg7IIse9LBp3Y+nFAMnhqEsdYhrA5I=; b=OV/gSWAwuHoTSw058dpxxuy4x3+Uzjem4YwCBuuvGaXlezC+PMp6JxRSKpnZCdAxXq j6bf5GhUQ3R8Y4I2V/a1JmKLD+ewIW7ob5sOVQIumErGB5QaoWaWHKMB28O8UGz4TU+y Xxl5MLY3fX3gVVb240wJdr+sHGynW7SubQdpHHOQ12xfh7X7fHwqkYk0G7lmBln6JGRB D1pX6FftRC/H7S6b1LBQwhPbDDIwYTUKoijMyi6pEuVRuXV7Nu6k9gbuKHr2XWfG8YVJ 3+rhyghOpPl5wyDctw5vbRSmjyz9e4oeXirV8zYeh2Z0ouWA7nRVlZZ8SAhwuE/b2u4+ fY+A==
X-Gm-Message-State: AOAM530VbzDoQ7dOOkOCvXajz0FxEJzpSz4j0QRTrF/tCt49cst8mkne wXx3zPnO8fDx8+u8j9QSx310C1nuOtpohu1vndBp+Bc7ym9GqQ==
X-Google-Smtp-Source: ABdhPJxutpRPKa11zu9c+W9E5DpXqL82IQiqMl1uAnoxs5PpmuJ4axAElOx+ewd2a9dmr4TNGMsNXZTgDVedDvHwV+Y=
X-Received: by 2002:aed:3ff1:: with SMTP id w46mr435258qth.83.1606156484891; Mon, 23 Nov 2020 10:34:44 -0800 (PST)
MIME-Version: 1.0
References: <> <20201122021417.B5E6E27B3E59@ary.qy> <> <> <> <>
In-Reply-To: <>
From: Todd Herr <>
Date: Mon, 23 Nov 2020 13:34:28 -0500
Message-ID: <>
To: "" <>
Content-Type: multipart/alternative; boundary="000000000000bc6fee05b4ca72fe"
Archived-At: <>
Subject: Re: [dmarc-ietf] ARC questions
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 23 Nov 2020 18:34:48 -0000

On Mon, Nov 23, 2020 at 12:02 PM Dave Crocker <> wrote:

> On 11/23/2020 7:38 AM, Todd Herr wrote:
> On Mon, Nov 23, 2020 at 9:50 AM Joseph Brennan <>
> wrote:
> On Sat, Nov 21, 2020 at 7:14 PM John Levine <> wrote:
>>> This also means that ARC isn't useful if you don't have a reputation
>>>> system to tell you where the lists and other forwarders that might add
>>>> legit ARC signatures are.
>> And if you know which hosts are legit mailing lists or forwarders, you
>> already know what ARC would tell you.
> I believe, though, that the intent of ARC is that it be scalable in ways
> that manual enumeration of known legit mailing lists and forwarders is not.
> "if you know which hosts are legit" buries an assumption that is
> problematic, namely that you know who handled the message.  The fack that a
> message purports to be handled by a mailing list you trust does not mean it
> actually was.
> That's the issue that ARC resolves.
> ARC (and DKIM) produce noise-free uses of identifiers.  If the
> authentication validates, the receiver knows is really was handled by who
> is saying it was handled by.  Without these, you don't.
> Yes, but knowing it really was handled by who is saying it was handled by
isn't the entirety of the problem.

I can know from ARC headers that X handled the message and what email
authentication checks X purports to have done when handling the message and
what results X claims to have obtained. What I have to decide in that case
is "do I trust X to record correct and valid results?" because the answer
to that question will impact my disposition of the message when it reaches

It's obviously not the place of the ARC protocol spec to proscribe how
trust in ARC results can be determined, but without some system in place
for assigning trust levels to ARC Sealers, ARC has limited utility for
sites that serve as the terminal destination for a message.


*Todd Herr* | Sr. Technical Program Manager
*p:* 703.220.4153

This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.