This keeps reducing to the previous case. If you know what senders
you trust, why do you need the OAR header?
OAR and the signed mailing list means that I trust the mailing list to have
properly checked the original validation.
True, but if you trust the mailing list that far, how likely is it
that the OAR will tell you anything bad?
Here's a thought experiment: let's say you have a nice trustworthy
list, they're sending you OAR, you deliver all their mail and the
complaint rate rounds to zero. I expect there will be a fair number
of lists like that.
Now you find out that the OAR headers are fake. (They're not sending
spam, they're just not reporting the real inbound DKIM or SPF.) Other
than that nothing's changed, they're sending the same mail and the
complaint rate still rounds to zero. Should you handle their mail
differently? If so, why?
R's,
John
PS: Are there in fact any ISPs that pay attention to OAR? I could easily
add it if it made them happy.
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
