Hi, > (Direct link to the agenda: > https://datatracker.ietf.org/meeting/112/materials/agenda-112-dmarc ) > > DMARC working group IETF 112 agenda > > 3. Bring discussion of indirect email flows to a close. > Tracking tickets 79, 92, 94, 100, and 122 > We will get to this topic if there's time, but the policy discovery > discussion has priority.
if you get to this, and before "closing" this discussion, please consider the following proposals: 1. (already proposed, but I received no feedback): encourage DMARC evaluators to make sure no bounce is generated for REJECT when the message appears to come from a mailing list (silently discarding instead). Bounces coming in by the thousands are no feedback, but sheer aggression. The threat of this aggression allows some DMARC implementers to rely on the mailing list operators to implement workarounds forever (as Ale among others likes to argue). Which makes bootstrapping any new solution difficult. 2. (this proposal is new): complement ARC with a secondary DKIM signature on the first hop. Under this proposal, a DMARC-implementing domain who wants their outgoing mail to be possibly involved in indirect mailflow (most senders do) would appose on each outgoing message a secondary DKIM signature signing the following headers: the recipient address, in a normalized form (here, for example: "To: [email protected]"), From, Date and Message-ID. Thus the evaluator could make sure that the ARC signing domain has some relationship with the sender: namely that the sender sent a recent direct message to this intermediary. This in itself doesn't prove that the intermediary is trustworthy, but should make the life of fraudsters sufficiently difficult to deter them in most cases (they would need to first obtain a genuine message from whoever they try to impersonate). Cheers, Baptiste _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
