Re: [dmarc-ietf] ARC questions

Brandon Long <> Mon, 23 November 2020 19:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 51EA33A0CD7 for <>; Mon, 23 Nov 2020 11:29:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -15.699
X-Spam-Status: No, score=-15.699 tagged_above=-999 required=5 tests=[DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nXsa4p_-6IGn for <>; Mon, 23 Nov 2020 11:29:46 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::934]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EF3AB3A0CD6 for <>; Mon, 23 Nov 2020 11:29:45 -0800 (PST)
Received: by with SMTP id x13so6027313uar.4 for <>; Mon, 23 Nov 2020 11:29:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NQUP8T3wYCbRG8/H5QbHIh+LvLyic2kIrtswjuxMteo=; b=PVB0xho2E43IIP9d5lU7Jh2vrUav9sxoAojQwWyVgNvYAsK8X1A8iAhXdru+kabKUZ FPPkT3oSRK79X94KH/+ddPKqQHiVh/2N3ezP83wr8SKujQc881cRosIO8JJ14CChd5SZ MrAFJKC4vkMWH6tizKMYMl+NRqv8tAlljZeFenwwN2ergp1qCgaEJF1XMprTDGhGnRTe rtSJQddaM0tFaBBRt/iK+hBrjxymqoKfoWuQV+jadCKuHhjiEnPoEEeQZ6xWVCK5pgYf UcQNyVTG8zmcp+sJMobHrFtlp+KO0VufsgEiQXKEeQqLHhuopmE4+NgV2LlLERhGkGNA YBCQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NQUP8T3wYCbRG8/H5QbHIh+LvLyic2kIrtswjuxMteo=; b=mWjWu/u1cedg3281tTDAysFpS7XPdcGc3gPlHXactWEhe8wfb2Ieuj8qNfbRNMM7v6 ZwQqBRo2XJKJhjJDGf6YQ20ckv9DersipiE1vJZXHq5t2XLuLnE01sDqegVS1Fy9ClL5 U/BkkKr/wsxxc4q0dVfBBASeXxesbpzG9s15dW/MKeAndiZy+Nc/F+TT1poubcwwPzFk RWa9zLAbNmV/Uc9t9EV93U/abssFckphbhwNh6ZbZiMrZdZh/+tGe/NHQs0B9QPRgfxe k8MDOeNyrYuSLWV6/eyTgIcNZ5ZIaz6b3YcnNc/5F8Qw0y8QvoPn9Cc4rrXd93ITHXgY FmyA==
X-Gm-Message-State: AOAM531XsijosO+syqqBRWOrPViPFxucdvhpCX7H+MYxxtmX/02ZYwgw scHsJKM9r4vfZhGDDPbA0SmDmF33l1r6tbuibNHhvWd7UQ==
X-Google-Smtp-Source: ABdhPJwki/mWnDJXv4aGLR0Vddn8HOi4vE2GFkf3cU76fwYg6RPOdMBRwKr2aGKtit57uMuQoNokQNwNAn7pklCttms=
X-Received: by 2002:ab0:13f1:: with SMTP id n46mr1106295uae.10.1606159784692; Mon, 23 Nov 2020 11:29:44 -0800 (PST)
MIME-Version: 1.0
References: <> <20201122021417.B5E6E27B3E59@ary.qy> <> <> <> <>
In-Reply-To: <>
From: Brandon Long <>
Date: Mon, 23 Nov 2020 11:29:32 -0800
Message-ID: <>
To: Michael Thomas <>
Cc: John R Levine <>, "Kurt Andersen (b)" <>, "" <>
Content-Type: multipart/alternative; boundary="0000000000006bdd9805b4cb37d2"
Archived-At: <>
Subject: Re: [dmarc-ietf] ARC questions
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 23 Nov 2020 19:29:47 -0000

On Sun, Nov 22, 2020 at 11:29 AM Michael Thomas <> wrote:

> On 11/22/20 11:14 AM, John R Levine wrote:
> >> Is there a reason that there is a separate ARC-signature rather than
> >> just using the DKIM signature that is normally created for the new
> >> message? Since ARC is new, you'd not want the intermediary to stop
> >> DKIM signing the message so you end up with essentially two
> >> signatures doing essentially the same thing?
> >
> > The ARC signature has a sequence number so you can track the chain of
> > custody.  You are right that it is similar to the DKIM signature but
> > the extra ovehead doesn't seem excessive.
> >
> Did the wg consider just grafting that onto the DKIM signature itself
> instead of having essentially a duplicate signature? Receivers are
> already supposed to ignore any tags they don't understand so it
> shouldn't hurt backward compatibility.

The DKIM-Signature is an "ownership" thing, it's a message originator that
is saying
"associate this message to me".

Intermediaries don't want to take ownership of the message in that sense,
though there
are some mailing lists that do.

So, if Google added a DKIM signature as to all of the messages
going through
it, that would not be good.  Even if the new tag indicated "I don't own
this", it doesn't change
the existing receivers who haven't been updated.