[Mailman-Users] ARC, was non-subscribers getting through--email address in "Real Name"

[Stephen J. Turnbull]

Grant Taylor via Mailman-Users writes:

 > I'm questioning why domains that do use ARC headers that don't run 
 > mailing lists should not be white listed.

You're misunderstanding.  The ARC community doesn't discourage
whitelisting other sites.  The work to do whitelisting does.  Mailing
lists are *known* to *frequently* (almost always) break DKIM
signatures in a way amenable to repair by ARC.[1]

The other main pain points for DMARC are third-party services that are
authorized by the owner of a mailbox to send mail "on behalf of",
without participation of the adminstrator of the mailbox's domain.  An
example is invoicing services.  These do not benefit from ARC *at all*
because they have a valid DKIM signature from the originating domain,
who can be trusted for that service, but don't get such a signature
from the mailbox's domain as required for DMARC From validation.

The other *possible* use case for ARC would be non-mailing list
forwarding.  But these almost never break the DKIM signature of the
originator.  I guess large services like GMail can eventually add a
feature where a user can configure GMail to recognize and whitelist
specific sites where they have mailboxes set to forward to GMail.  But
I doubt this will ever be a standard feature of MDAs.  It will be
complex and fragile to implement, and almost never used.



Footnotes: 
[1]  Note that I disagree somewhat with John.  I suspect that
humongous providers like GMail, Yahoo!, and Microsoft will
automatically accept ARC in the presence of a RFC 2369 List-* header,
and blacklist on bad behavior, as they do now.  That's not perfect
from a list admin's point of view---it requires a lot of resources to
do that well, so small sites probably won't---but it's not too bad.