On 11/23/2017 12:34 AM, Seth Blank wrote:
16 Experimental Considerations
[[ NOTE TO WORKING GROUP: Should this section be for the IESG only to
be removed by the document editor, or should it stay with the document
as long as it’s experimental? ]]
It must be demonstrated that ARC actually solves the problem it is
supposed to - mainly, that ARC provides an effective signal to a Final
Receiver that allows messages indirectly delivered to properly be
rescued after a DMARC failure.
Fwiw .....
DMARC is an DKIM Author Domain Policy System. A DMARC
(p=reject/quarantine) policy failure is Author Domain defined. Hence
an ARC "signal" to correct this failure must also be Author Domain
defined, otherwise there will exist a security loop hole.
The DMARC should have an dedicator, i.e. tag extension, that allows
the Author Domain to publish and declare to the world receivers that
some sort of successful ARC calculation (TBD) promotes the DMARC
failure to a "pass" (or non-fail) condition.
Conversely, DMARC should also have an dedicator (by default) that ARC
(or anything else) should not correct/rescue DMARC mail failures.
To avoid adding DMARC tags, possibly the first ARC seal created by
the original DMARC author domain could be a method to trigger the ARC
corrections. Something like:
If the receiver detects a DMARC failure, but also sees
a valid ARC seal where seal #1 is tied to the author domain,
then the receiver MAY promote the failure to pass.
--
HLS
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
