[dmarc-ietf] Re: Proposed Recharter to Conclude the ARC Experiment

[Richard Clayton]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In message <CAH48Zfwx0eSOEof9V73j+omeyph2=pcv0wrb3fhvnoaajnc...@mail.gma
il.com>, Douglas Foster <dougfoster.emailstanda...@gmail.com> writes

> Auto-forwarding creates reputation risk and information leakage risk to
>the forwarding organization, so it should be approved by sending domain
>administration.

for large sending systems (and most smaller ones) that just isn't going
to happen...  there is a proposal floating around (which may make it to
the IETF in due course) to authenticate sign-ups to newsletters &c which
will be valuable, but that is in a different space

>   Auto-forwarding also complicates inbound filtering for
>the receiving organization, 

you may think so, but in practice the receiving side of the house has no
idea whatsoever that the email will be forwarded (at any system I run or
assist with in $DAYJOB$)

>so it should at minimum require evidence that
>the receiving user will accept it, but in most cases should also require
>evidence that the receiving domain will accept it.

in the DKIM2 world if the receiving user will not accept a mail the
refusal will always become known to the forwarder (who might consider
making a configuration adjustment) and it will generally also become
known to the system that sent it to the forwarder (who might also
consider whether they wish to send more email in that direction).

>Sadly, in the decade-plus that IETF has been trying to perfect
>authentication as a spam defense,

I don't believe authentication has anything to do with "defending"
against spam, it has a lot to do with reliably assigning reputation to
entities within the ecosystem -- and you may wish to use reputation in
your decisions about whether or not to accept messages.

> the threat landscape has changed.
> Nearly all my incoming spam is now fully authenticated.

one might argue that "Yahoogle" had something to do with that

>On Sat, Feb 21, 2026 at 9:08
AM Tero Kivinen <kivi...@iki.fi> wrote:

>> Such trust does not exists.

I am a great believer in NSA's definition of trust .. a trusted
component is one that will screw you over when it breaks.

Hence trust is not something to aim for, but something to avoid whenever
that might be possible.

- -- 
richard                       writing to inform and not as company policy

"Assembly of Japanese bicycle require great peace of mind" quoted in ZAMM

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBaZpbamHfC/FfW545EQJ2dgCgqR18S545ppMx4HDE4yx30ksQV2gAni5Y
EbQdLLxQpdrnNEy62CF+IxSc
=tGkY
-----END PGP SIGNATURE-----

_______________________________________________
dmarc mailing list -- dmarc@ietf.org
To unsubscribe send an email to dmarc-le...@ietf.org