On Wednesday, February 10, 2016 07:17:31 AM Roland Turner via dmarc-discuss wrote: > Scott, > > You're [still!] confusing multiple conceptions of trust, including at least: > > 1) trust in the intention and ability of multiple upstream forwarders to > ARC-sign correctly, > 2) trust in the lack of intention to abuse by the > organisation at the other end of the SMTP connection, and > 3) trust in the > intention and ability of the organisation at the other end of the SMTP > connection to make exactly the same decision about disposition of a > particular message (in fact: of all messages) as you would. > > Implicit in (3) are two additional assumptions that may or may not be true: > a) that the organisation at the other end of the SMTP connection has exactly > one level of confidence in message disposition (this is patently not true; > larger senders/forwarders routinely maintain discernibly separate pools in > order to help receivers make better choices), and > b) that you have exactly > one level of confidence in message disposition (this may well be true of > you personally as it is of me, but it certainly isn't for larger > forwarders). > > For larger receivers, the ability to see upstream (only possible when they > trust at least one of the upstream intermediaries to ARC sign correctly) > allows better decision-making (e.g. about DMARC overrides) than does your > apparent "the organisation at the other end of the SMTP connection is > good/bad" dichotomy. Note in particular that the ability to test ARC > signatures from forwarders upstream of the organisation at the other end of > the SMTP connection allows for DMARC overrides to happen, specifically, in > the situation where the receiver doesn't trust the organisation at the > other end of the SMTP connection. Adding ARC makes this possible more > frequently than DMARC+SPF+DKIM does.
I see your point, but I'm still not sure what it buys you. Without your #2, #1 is irrelevant, and #3 is, given #2, not a big deal I don't think. As for a) and b), while that's certainly true (that large senders have different levels of quality messages sent from different pools), that's trivially discernible from IP reputation data if you have a large volume of it. So I hear what you're saying, but it doesn't change my mind. I guess if the large providers think this is useful, then meh, OK, but I think it's pretty clearly not for anyone else and I am a little surprised they don't have equally good ways to solve the problem already deployed. Scott K _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
