On Tue 24/Feb/2026 13:19:00 +0100 Douglas Foster wrote:
Ale, I don't understand the "global trust" issue. Each evaluator decides
what to trust. A mailing list may want a way to ensure that every
recipient organization treats its messages equally and favorably, but this
is not going to happen and was not an asserted goal of ARC. Each
organization decides, independently, which ARC data it wants to accept.
Richard's complaint went much deeper, arguing that even data from a
trusted participant could not be trusted. I think his problem occurs when
the message passes more than one intermediary. With multiple
intermediaries, the recipient needs to be able to trust each one, whether
they add an ARC set or not, or the ARC set itself becomes untrustworthy.
ARC doesn't /assert/ global trust, but assumed that the receiver trusts ARC
sealers just as they trust DKIM signers, possibly based on a global list of
trusted forwarders or a local list that each mail hub bakes on its own.
It's well known that many operators don't fabricate fake credentials, so it's
safe to trust them. Thus, I should trust Google, but the reverse is not true.
One of my users asked me to forward all her messages to her Gmail account.
Google rejects part of that stream; in particular, it rejects mass mailers. I
believe they're pretending DKIM has failed in order to reject what they fear
might be a replay. They cannot trust me, because —and this is a different
meaning of "global"— if they did, then they'd accept my messages to /any/ Gmail
user, which they cannot afford.
It is necessary to trust somebody, or there would be no reason to accept
any incoming email. But it is also true that trust can be betrayed, and
betrayal by a trusted actor tends to be more damaging than malicious action
by an untrusted actor. Trust makes a person an insider, so betrayal of
that trust becomes an insider attack. I have found this to be a powerful
principle for email filtering. There are three types "insiders":
- Members of my organization who log into my email server.
- External senders whose identity is verified and who are explicitly
trusted as evidenced by some type of allow rule to prevent wanted
messages from being blocked.
Wanted by whom? When you know a user wants a particular stream because they've
said so, the ability to authenticate a message's membership in that stream
allows you to accept it without question. Gmail might even place the messages
I forward to my user in a special Forwarded-by-Ale folder, making it clear to
the user that the content has been explicitly approved by her. No games.
- External senders whose identity is verified and who are implicitly
trusted because they have sent us previous messages which have not
been flagged by spam filtering, have not been flagged by user
complaints, and have not caused visible harm to our organization.
Attacks from these insiders are dangerous exactly because they are
trusted. Email filtering is based on three prongs: (1) Do I know who
you are? (2) Do I know your reputation, and (3) Is your message content
acceptable? For an insider, the first two answers are favorable, and the
third question is answered with a high degree of grace. We assume that
betrayal by a trusted actor will involve account compromise, and the nature
of messages sent from a compromised account is nearly impossible to
forecast, so filtering to detect a future compromise is very difficult.
Of course, a compromise can be detected only after it has occurred :-/
Best
Ale
--
_______________________________________________
dmarc mailing list -- [email protected]
To unsubscribe send an email to [email protected]
