I watched the wrap up session and see ARC can workaround the issue with listserv and forwards.
What are folks doing about inbound listservs and dmarc? We watch for inbound dmarc rejects and find many listserv messages fail. Are you piecemeal permitting onesie twosie inbound although they fail dmarc as you encounter them?
Example:
Authentication-Results: ;
spf=pass [email protected];
dkim=pass header.s=pdx header.d=collegenet.com;
dkim=fail header.s=selector2 header.d=coastal.edu;
dmarc=reject header.from=coastal.edu
Since many email security gateways do not support yet ARC our of the box we had to come up with our own metrics on how to validate messages.
In short we check for x-headers and make a verdcit calculation based on outcome.
Best case (ARC seal header present and SPF, DKIM and DMARC validate), then we remove point depending on what is available in the header and can be validated.
So an external messages with low domain and sender reputation without passing SPF, DKIM and DMARC would get the worst score.
Our rule engines then goes from there. The higher the score the more you are trusted, the lower the score the more likely we will remove the FFROM and only show the SMTP env for our users. we still do many additional checks but this gives you the overall idea.