On Sun 01/Feb/2026 11:02:13 +0100 Bron Gondwana wrote:
I will agree with Richard here. Fastmail ALSO adds ARC headers and verifies
ARC, but (still) doesn't treat it as having any spam prediction value.
I would say that operational experience with ARC has borne out the issues that
Neil and I recognised, and I wrote about <https://mailarchive.ietf.org/arch/
msg/dmarc/4Gu1EErK4iuo9pQnZ-uJ2tKpMDQ/> when first implementing ARC.
Some of the replies mentioned that mailing lists don't honor DMARC settings.
One good thing ARC does is to export Authentication-Results. A recipient may
want to know if DMARC had already failed when posting to the list.
Another good thing is the chaining of signatures, so you immediately know who
the last forwarder is, i.e., the one responsible for the user's subscription.
It was published as "Experimental" because of concerns raise by myself and
others about its efficacy under attack.
We've never explained how to use it. Most implementers seem to use it for
internal verification, adding an ARC set at each internal hop, as if they
required cryptography to identify which hosts are their own (internal) ones.
I'm happy to say "ARC should remain un-deprecated until DKIM2 is published to
replace it", but I'd be equally (or even more) happy to say "The ARC experiment
should be concluded now".
An alternative might be to say "if you use ARC so-and-so, it works reliably".
The hype on global reputation was pushed so hard that it seemed like the only
possible use of the protocol. Instead, it's the concept of global reputation
which should be made obsolete.
Best
Ale
--
_______________________________________________
dmarc mailing list -- [email protected]
To unsubscribe send an email to [email protected]
