Alessandro Vesely writes: > The (subtle) difference lies in the kind of trust the receiver must > place in the signer. The intended use of ARC required blind trust, > whereas DKIM2 can reconstruct the original message and verify the > author's domain signature, so it only needs to trust that the > changes made by the forwarder are semantically correct.
No, ARC does not require blind trust. Legitime email forwarding usually happens because of the RECIPIENT asking for it. Recipient will then know who is doing the forwarding and as he is asking that forwarding service to do that forwarding he should have some trust with them, i.e., he should be willing to trust the ARC headers geerated by the forwarding service he asked to forward emails to him. He should NOT trust any other ARC signers, only those he asked service from. ARC is very useful in that. Unfortunately we still have very limited support for the email recipient to configure per user trusted ARC forwarders, thus that makes ARC less useful, but as long as the forwarders do ARC signing, the recipient can switch to system that do allow that and will then benefit from the ARC (i.e., he can use the ARC SPF status to see whether the SPF passed when the email was received by forwarder, it will of course be failing after the forwarding). > Global trust is slippery, because spammers can take legitimate > posts, wholly replace their content, while duly compiling the > difference and signing. How do we know that DKIM2 won't fail for the > same reasons ARC failed? There is no need for global trust. If DKIM2 will require global trust it will fail. -- [email protected] _______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
