This is something I've been wanting to talk about for a while.
I run an email forwarding service (ImprovMX.com) and at first glance, ARC might seem like a good idea when forwarding an email.
When ARC signing an email, ImprovMX would tell to the next hop what was the situation about SPF, DKIM and DMARC even if that has changed now (like breaking SPF, which happens when forwarding an email).
BUT this relies on trusting the one creating the ARC signature.
And for me, this is bad.
What does trusting mean? In this specific case, it would mean having a list of trusted authorities (Google, Microsoft, AWS, etc) that we can trust, but be cautious with all the others?
Heck no! As this would mean a two-way internet, where the big ones have even bigger power, and new, emerging or small ones have no power.
> ARC serves the big ones only.
Am I wrong?
