> 9.4. Handling DNS Problems While Validating ARC > DNS failures to resolve or return data which is needed for ARC > validation SHOULD result in a 421 tempfail during the SMTP > conversation with the sending system. Temporary or intermittent DNS > problems will generally not be sufficiently transitory to allow a > mediator to obtain a different result during the ordinary transit > duration so it is better to have the source system queue the > problematic message(s) than to generate (potential) backscatter. > > Operators of systems which mediate mail should be aware that broken > DNS records (or malfunctioning name servers) will result in > undeliverable mail to any downstream ARC-verifying ADMDs. > > DNS-based failures to verify a chain are treated no differently than > any other ARC violation. They result in a "cv=fail" verdict.
I don't know if SHOULD is the right choice here. For a large percentage of mail, ARC is unnecessary, even when forwarded through an intermediary. The mail will continue to DMARC pass, or the mail will not be for a DMARC p=reject domain. I think that issuing a temp fail instead of a perm fail on a DMARC reject if the arc chain may have allowed a local policy override is useful, but to temp fail all arc dns failures may be more harmful than helpful. I think I used the dns failure case as a place where cv=fail instead of just not signing was actually more harmful, but that seemed more complicated than others were willing to go. Of course, passing the dns failure from a separate arc milter to a dmarc milter to make that determination is complicated, though in authres terms, we could use an arc=tempfail result to pass that info on. Brandon _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc