Re: [dmarc-ietf] Overall last-call comments on DMARC

[Tero Kivinen <kivinen@iki.fi>]

Murray S. Kucherawy writes:
>     Some sort of contract or agreement between sender and receiver
>     seems to me to be unavoidable if we want to leverage ARC without
>     having a global domain reputation system.  We don't have a
>     precise method to do that.  We need to experiment and
>     standardize something to that extent, which I hope this WG can
>     do after publishing -bis.
> 
> I know what "contract" means abstractly, but what does this actually
> look like to someone that's looking for specific guidance?  The text
> you have here, by itself, is vague and I don't think many operators
> will know what to do with it.  

For example Fastmail [1] includes per user account configuration that
lists "Forwarding hosts", which affect how they do spam filtering and
whether they trust ARC or not (they do have global trusted ARC list
also).

The M3AAWG forwarding whitepaper will propose that all mailbox
providers should include similar setting, i.e., allow users to
configure which hosts to trust for ARC.

It was already pointed out that forwarding does not happen out of
blue, there is always the user setting it up, i.e., joining the
mailing list, providing the email address for alumni forwarding etc.
When user does that it would also be easy for him to go to the account
settings of whatever mailbox provider he uses and add that ARC host
there.

The mailbox provider could even detect that user is getting emails
that are been forwarded and which have ARC headers, and they could
even ask similar question they do now when you move mails away from
spam folder, i.e., "Not spam", "This email has valid ARC signature for
alumni.university.edu, have you configured this organization for
forwarding emails to you, and if so do you trust this organization for
doing mail authentication checks on behalf of us".

What ARC really offers is that if there is ARC header from
organization you trust, you can check the ARC-Authentication-Results
and use them in addition to your own checks. If for example that
header says SPF was pass, and you trust that domain, then you can
trust that it properly did SPF checks and you can consider using ARC
SPF pass as SPF pass for the email, even when it is now failing.

I do not think there will ever be global trusted ARC signers list, as
I do for example want to trust certain organizations / countries, and
there is no point of me trusting for example microsoft.com ARC
signatures, as there should not be forwarders in microsoft that should
be forwarding emails to me. If there is ARC header signed by microsoft
that header does not have any value for me, but will have some value
for some other people.

Simiarly I will trust iki.fi (non profit email forwarding service in
Finland that will forward all emails I receive to my actual mailbox),
but there is no point of you personally to trust iki.fi ARC
signatures. Mailbox provides might want to trust iki.fi as one of our
30000 members might be using your services, thus adding iki.fi to
trusted forwarders makes thins easier for iki.fi members.

[1] https://www.fastmail.help/hc/en-us/articles/360060591413-Spam-filtering#forwarding

-- 
kivinen@iki.fi