Do you trust the ARC signer is the only appropriate policy test. Everything else, including your "wanted and valued sender" test is a value judgement for a message filter, not an ARC evaluation. If you trust the ARC signer of a message, then you trust their assertion as to the authentication status of the message at the point they signed it.
Ken. On Mon 19 Sep 2022, 18:31 Douglas Foster, < [email protected]> wrote: > I am trying to specify the generic form of a local policy rule to trust > ARC to override DMARC FAIL. > This is my current draft: > > - The message's RFC532.From address indicates a wanted and valued sender. > > - The message produces DMARC FAIL. > > - The ARC chain is intact > > - An ARC-A/R entry exists and indicates DMARC PASS, aligned SPF PASS, or > aligned DKIM PASS. If more than one such ARC set is found, the highest > sequence number is used. > > - The IP address used for SPF is extractable from the comment field of > that same ARC A/R record. > > - A Received header can be found with the same Source IP address, and > > - The rest of the Received chain is scanned forward, and all included > servers are trusted to create only accurate message headers and to make > only non-malicious changes to the message. Given the unpredictability > > Can anyone simplify this formula? > > Doug Foster > _______________________________________________ > dmarc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
