Re: [dmarc-ietf] ARC questions

"Murray S. Kucherawy" <> Thu, 26 November 2020 00:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 112CB3A0DCF for <>; Wed, 25 Nov 2020 16:14:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FGA08m7VId-A for <>; Wed, 25 Nov 2020 16:14:40 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::932]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AE8533A0DEA for <>; Wed, 25 Nov 2020 16:14:40 -0800 (PST)
Received: by with SMTP id q68so19650uaq.3 for <>; Wed, 25 Nov 2020 16:14:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=FUE/5SxgVjFskiyhriZkOZMiFNvooubVh/siTf/zorg=; b=nPW2etGPpdjhjorGgY+ahl2Cni2TIoNdUnUx+lWOdQQgABLvPha5iWfAm6R3uvTsL/ INDKpfgMSEJzpYgKtqTY1tC5/6W0RroEWy/0l+RJDoBdI61vpj6AAj8OLLEj19KMKyM5 x4hyKhT6QPWC1Fbnb3f+OQjo6Aux60bxF0oRtFoROyxUT7MjcwZAL5YpHlMhIcmG3BY2 0/l0UYUQRM1jFQKZu0OQvu95vH5oKe1HdZ9rSLoLPTk/B+ocdnJt3vvTuRnKDstY0X1A C8YVsI/tATfEjFHk2+odrVbD4hTINjJvWLUsb72cKyURbJLVeZxPEpgDBzA+3leNaSIu XLYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FUE/5SxgVjFskiyhriZkOZMiFNvooubVh/siTf/zorg=; b=HvQE1T01F6E7bB9ivFrfejfmCe6Oe8nnfnM48b2mMDlCexjYag/xoqcvGmufs9pUtA ShdmteEsIB8sMqKHo4RtWiZdsOGhJTlp9vk6AJwFtczE9y00SOjXWT8LwsAKJLdxvtJh 6d3/+8YxIo5e5jIR0X111JvkSF/zvolAeLv4mdZXblGaJCfrEBboRyvJkJMhmjbZE3oo i9mvaUpNFFDT3okWTpD7gIFGN0hnjOC5W2+tredvy7rJyYm5HxmbIRXxqKfNlZkfZeNJ YpRXjhM7jciHuQbuOlpe/IFWsYnNJVCL/tJrOuwo2kmEZe4ZCZ7CO1jrd2p1UT9gr6P1 XWPw==
X-Gm-Message-State: AOAM530HJcDYBqxik2WHqek6sOVHD81YZs1C+rx6hKdF1uUyxzqdRLhS hDm2xLgwP+4kjK2M7gSMPxpROH9Dr4Ac8BIL60U=
X-Google-Smtp-Source: ABdhPJwZJHC7Qj60rOa4XQmUDUzbDnAVsblqL02+eioRi5GR/lW5COviS8PeQnRMh2BrZPgAzzjFIdAvSDiJeP8SwIA=
X-Received: by 2002:ab0:2109:: with SMTP id d9mr339033ual.76.1606349679505; Wed, 25 Nov 2020 16:14:39 -0800 (PST)
MIME-Version: 1.0
References: <20201124020453.AFDC027CE5C8@ary.qy> <> <> <> <> <> <>
In-Reply-To: <>
From: "Murray S. Kucherawy" <>
Date: Wed, 25 Nov 2020 16:14:27 -0800
Message-ID: <>
To: Michael Thomas <>
Cc: Douglas Foster <>, IETF DMARC WG <>
Content-Type: multipart/alternative; boundary="00000000000008339f05b4f76ea7"
Archived-At: <>
Subject: Re: [dmarc-ietf] ARC questions
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 26 Nov 2020 00:14:50 -0000

On Wed, Nov 25, 2020 at 11:03 AM Michael Thomas <> wrote:

> On 11/24/20 8:19 PM, Murray S. Kucherawy wrote:
> On Tue, Nov 24, 2020 at 7:27 PM Douglas Foster <
>> wrote:
>> Michael, I think the purpose is stated well enough:   Mailing lists want
>> to keep adding their content to messages, without being blocked by
>> recipients.   This means that they have to provide recipients with enough
>> information for them to accept the forwarded content.   Google and
>> Microsoft seem to be on-board with this project, so it seems pretty
>> successful already.   This train is not easily stopped.
> That sounds about right.  Put another way: DMARC's success is at least in
> part stymied by what MLMs do that invalidates DKIM; ARC is an attempt to
> carry forward from the MLM, in a credible way, an indication of what the
> MLM saw in terms of DKIM results when the message got to the MLM.  So then,
> although an author signature will fail post-MLM, the MLM signature will
> pass, and the ARC data will tell you that the author signature was good
> when the MLM got it.  If you trust the chain, then that can be an
> alternative to the DKIM input when the final recipient performs a DMARC
> evaluation.
> That's been known for over 15 years. I'm still trying to understand the
> assertion that DKIM signatures are a "bad fit". I just looked at a random
> message off of this thread and they look identical except for the i= field.
> another field could trivially be added to DKIM and auth-res -- since
> unknown fields are supposed to be ignored -- if this binding property is
> absolutely needed, which I remain unconvinced by as well.
I'm not sure about "bad fit".  The original plan was to have an
Authentication-Results (AR) clone called Original-Authentication-Results
(OAR) which was specifically the AR content generated at the first
non-submission MTA.  There was some friction (mostly from me, as I recall)
about having two header fields with identical syntax and nearly identical
semantics.  There was further complication in the fact that one ADMD could
apply multiple ARs on a single message (for multiple methods, or multiple
instances of the same method, or a combination of those), or they could be
reordered, etc.  To make it more resilient, things like instance numbers
were added.  The work was eventually generalized to be a "chain of custody"
sort of model, and in doing that I think the decision was made to make a
new name to ensure ARC and DKIM would be processed differently.

I imagine it could've been done as an Applicability Statement over DKIM and
AR, but I'm not sure now whether that would've been simpler.

> If you ask me, part of the experiment should be able to show use cases
> that DKIM + auth-res (or maybe old-auth-res if needed) CANNOT address that
> ARC can, and most especially what percentage of email traffic we're
> actually talking here. As far as I can see ARC doesn't bring anything
> especially new for the mailing list kind of use cases since it really easy
> to see who the intermediary was that broke the signature. I have been told
> there are some vague other kinds of use cases but is unclear whether those
> use cases actually happen before or after the message arrives at the front
> door of the final receiving domain. Yes, i read section 7, but it doesn't
> tell me why this can't be handled with current technology.
> Obviously it's too late to include this in RFC 8617, but those would
indeed be interesting data to have.

When you say "easy to see", do you mean for software or for humans?

> It seems to me that the lynchpin is whether I trust the domain that broke
> the signature and resigned. That's either a previously solved or unsolved
> problem depending on your perspective. If I trust the intermediary domain
> to not send me spam via reputation, I forward it along to be delivered and
> ignore the DMARC record. Why do I care whether it originally validated from
> the sending domain or not? If you ask me, that's the intermediary domain's
> problem since they have an incentive to keep their reputation and not send
> spam through.
Suppose you're sending to a list that I'm on, I enforce DMARC, I trust that
MLM not to send spam via reputation, you have a good reputation, and you
publish a DMARC "reject" policy.  That means if a bad actor sends a message
to the list as you but doesn't sign it at all, I'll still accept it because
I trust that MLM even though according to your policy request, I should
bounce it.  ARC provides the missing data I need to enforce your request.

If the MLM enforces DMARC, that's slightly better, but I think ARC was
meant to be an incremental drop-in for MLM operators that don't (or won't)