Re: [dmarc-ietf] ARC questions

John Levine <> Sun, 22 November 2020 02:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 042573A0C3F for <>; Sat, 21 Nov 2020 18:14:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.85
X-Spam-Status: No, score=-1.85 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key) header.b=m/kjyELD; dkim=pass (2048-bit key) header.b=ZMmf6Fq7
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jb7AjqlaYTja for <>; Sat, 21 Nov 2020 18:14:21 -0800 (PST)
Received: from ( [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2DC273A0C38 for <>; Sat, 21 Nov 2020 18:14:20 -0800 (PST)
Received: (qmail 21600 invoked from network); 22 Nov 2020 02:14:18 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple;; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=545e.5fb9c97a.k2011; bh=52PlwGT2bfgBMl5uOKDGbvErcGpAKz6EPfw0rQyzHdU=; b=m/kjyELDcz+e3a3Uq3sjh2rTtSX8cZas4b6tZRUE9poKMgXT/JhXQ+X/ZZxvAw3RP5iEV7y5IOpAn1uIf5KUEHtnkbvWb5ufQH8/a5NVAuARCyjShMv/C8ZrQITjxejmpUlXCyLdaCX4BY+JBPMR7oF4dVIl0YopPgtcBXM3SPG/pYKP5M+MFJkC8DVvzvNPuoX8PH+8myrOlxfymVJO/sw0i4+T1FCTscNnlNLIStqakVYyzOVgncaSMpepqqK9p998la4OkXU5I/xlnuA+WW0A3AYpfh4R4AA9xrIAVorGji4kVO7vvRW4vDH/v8GcaME9hukTjLvQ02t4J62dCg==
DKIM-Signature: v=1; a=rsa-sha256; c=simple;; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=545e.5fb9c97a.k2011; bh=52PlwGT2bfgBMl5uOKDGbvErcGpAKz6EPfw0rQyzHdU=; b=ZMmf6Fq7X2Tr/OUrltzFZT/LlAZyK2lIOHRydbcgfXJEatryPyDssDKmXlUlfvYkiI1xeEbI93Up+gyhJ6PHIoz0rjfpTfuZKY5ywkW+YcZoiqPNAJWRhWtfIrDo55ImrllZCr046HdfNlhPISlwmLbR7Rvn/mnNU9xVMeeYEjxCdixLAngoaJvtiMZgVwa/Ni2cuSuCEsB32sZrGraQ/sMDZdLa7UADKxOUwps/hSb2BIrJdhDKaKx7G0b0Ooa8zG4jO+GG2UNiKz7nrjcKpj6eRajzA8qykXCbBn5mJwyMiwUyPMtAIiq+v7g3tlLZoH73QNssmSiwi80WzzdaPg==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 22 Nov 2020 02:14:18 -0000
Received: by ary.qy (Postfix, from userid 501) id B5E6E27B3E59; Sat, 21 Nov 2020 21:14:17 -0500 (EST)
Date: 21 Nov 2020 21:14:17 -0500
Message-Id: <20201122021417.B5E6E27B3E59@ary.qy>
From: "John Levine" <>
In-Reply-To: <>
Organization: Taughannock Networks
X-Headerized: yes
Cleverness: minimal
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <>
Subject: Re: [dmarc-ietf] ARC questions
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 22 Nov 2020 02:14:23 -0000

In article <> you write:
>If I'm a receiver who is going to be making some filtering decisions 
>based on ARC, I see that it passed by some authenticator along the way 
>which is fine, but my question is why I should trust that intermediary 
>in general?

The short answer is that you shouldn't, any more than you should trust
random DKIM signatures.

When people were designing ARC, it seemd overcomplicated to me. Large
mail systems know where all the mailing lists are so why not just
whitelist them and be done with it? The answer is that legit lists
leak a lot of spam and it is common for a formerly well-behaved list
to start spewing spam. Most lists do little filtering beyond verifying
that the From: address is a subscriber, so when a spambot steals an
address book that contains both the list address and some subscribers
to that list, a lot of spam leaks through.

ARC lets recipient systems do retroactive filtering that the
forwarding system didn't. For example, although the overall error rate
of rejecting mail due to SPF -all or DMARC p=reject can be high, on
incoming mail to mailing lists both are quite reliable since the kind
of forwarding that breaks them is rare in that context. If I ever get
around to adding ARC checks to my filters, that's the sort of thing
I'll be looking for.

This also means that ARC isn't useful if you don't have a reputation
system to tell you where the lists and other forwarders that might add
legit ARC signatures are. There's been some handwaving about how we
might come up with shared DNSWLs of mailing list hosts, but it hasn't
happened yet.