On Tue 20/Sep/2022 20:12:04 +0200 John Levine wrote:
It appears that Alessandro Vesely <[email protected]> said:
The point of ARC if whether the evaluator trusts the domain(s) that produced
the ARC set(s). Actually, as Doug says, all the domains from the last i= down
to and including one reporting dkim=pass or dmarc=pass must be trusted.
Otherwise the result is dmarc=fail.
That is not the way ARC works. But since this is the DMARC list, not the
ARC list, let's argue about it somewhere else.
Right, I'm going to put that on the ARC list. Yet, the point here is why would
we want to say something different than dmarc=fail after ARC override. While
the meaning of spf=pass with dkim=fail is perfectly clear, having arc=pass with
dmarc=fail is not. Why?
Let me recall that email authentication is conceptually different from content
analysis. The former is a clear cut yes-or-no discriminator, the latter is a
fuzzy heuristics that tries to guess the worthiness of messages that it cannot
fully comprehend.
Having arc=pass with dmarc=fail has opposite meanings when the evaluator trusts
rather than distrusts the domain(s) which produced the ARC chain. And if we
want to use ARC as an authentication mechanism, that trust vs. distrust cannot
be decided by looking at the spam score. It has to be any evaluator's policy,
but not fuzzy, lest the evaluator's judgment be completely demeaned.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
