Re: [dmarc-ietf] ARC questions

Michael Thomas <> Wed, 02 December 2020 23:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 941053A15FA for <>; Wed, 2 Dec 2020 15:30:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.652
X-Spam-Status: No, score=-1.652 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dovppe2unYSd for <>; Wed, 2 Dec 2020 15:30:09 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::1031]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D92243A15FC for <>; Wed, 2 Dec 2020 15:30:05 -0800 (PST)
Received: by with SMTP id e5so57021pjt.0 for <>; Wed, 02 Dec 2020 15:30:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=frJndGBg4PljdPRXFB1KqYuhqqDFqbuyeJjhznmBtNo=; b=vvoZ+Loew2ueICysZfzHi5UwJ3jXLN5dX+kyHN3HI91ZMJWMq7cym6dw1XQ9zaHvar KWobHhYgPlIURrzw5+sM1lArZM0+S8zElTI9oJicfts5VpsuYtc3kGzpFO58DlGQMzji +Bshah0JzXltImvCLjzUhHXHOLYvfA/Hk9lwY5XD904cTcBo4UfTKvenfFv3yLyBc4k3 l61UDIWK7HRcdixAnDYx7zJLZaO3qcbPOwkG48uqCoMDIJVhcBndL82W/JflTPy4EB9S VydV+ABOODKddInyT2i5+/cTXS1B66NWYHF/Auh1UqRkxB/+H5T//oXYkKWqXolceqkS Y3Nw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=frJndGBg4PljdPRXFB1KqYuhqqDFqbuyeJjhznmBtNo=; b=VGzj3IYpDnfKOxHHOBvlPC5Rl2UZRiU+pFuWtw1YQhxeAzvTsBzqEtETwQfKa01Twt 18oW5glz5BM5SXq4v1bkFStlyppI9zH8iKhiu0CD7aBAQys59Lnc9mz0T64qymNuRJ2a KslbZywMkCLT4Yo9LwZZHsl27as+8d9bCe4GPbMt7EMFqs6/Eu5vfR0umlfg+eygg81h qnYw/YMNPdnUPo0AmU31RMjuBK/7t7C/GTYpP52YfI97EPTIovNvjmRMJAqxiefyYnmb 97ThJaIe6eFDAHhPUBo4ZG87o61csFEtu/Ex9pvRN0J9KRfRGKWSVOjdM1jE8lOV9OKt eVbQ==
X-Gm-Message-State: AOAM530dUJVHp8wabcixnDGLPCjPeoZKT08gK6Tus4aFML8E1Rwj4sLT n/1T4bYrbhLK6wQWt/9nu1rg0LKqSFCEuQ==
X-Google-Smtp-Source: ABdhPJzQUtiWyUp4dVxdii6hT+h4YBukyVaoJ5846n5Di6IUaEwxKrufF/3Atxm7lejww+dr4k5xIw==
X-Received: by 2002:a17:90a:c4f:: with SMTP id u15mr287214pje.177.1606951804840; Wed, 02 Dec 2020 15:30:04 -0800 (PST)
Received: from mike-mac.lan ( []) by with ESMTPSA id x7sm158495pfn.85.2020. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 02 Dec 2020 15:30:04 -0800 (PST)
To: John R Levine <>, Brandon Long <>
References: <20201124020453.AFDC027CE5C8@ary.qy> <> <> <> <> <> <> <> <> <> <> <> <>
From: Michael Thomas <>
Message-ID: <>
Date: Wed, 2 Dec 2020 15:30:01 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.5.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <>
Subject: Re: [dmarc-ietf] ARC questions
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 02 Dec 2020 23:30:11 -0000

On 12/2/20 2:53 PM, John R Levine wrote:
>> Which could trivially be added as an extension to DKIM and Auth-Res 
>> negating the need for the Seal altogether since DKIM can directly 
>> sign the old (renamed) auth-res. I can understand for an experiment 
>> not wanting to touch dkim or auth-res, but for something standards 
>> track less is more.
> I still don't get it.  I suppose the ARC group could have done 
> something to register extra tags for DKIM-Signature and A-R and tried 
> to do something about the fact that if a message passes through the 
> same network twice, the first A-R will be deleted, and try and find 
> and turn off all of the places where mailing lists helpfully delete 
> DKIM signatures that no longer are valid, and what they came up with 
> wouldn't work a whole lot worse than ARC does.
> But why bother?  The IANA header field registry currently has 419 
> entries. Why is it a crisis if it increases to 422 rather than 420?

It does a lot more than that:

1) It adds two new signatures to an already existing DKIM signature that 
mailing lists add

2) It adds a new security mechanism (Seal) and adds a new attack 
surface, when the old (renamed) auth-res could just be DKIM-signed which 
has been thoroughly vetted

3) It adds a lot more bloat to the headers

4) Signing is a *far* more expensive operation than verifying, and you 
negated any supposed advantage by adding two new signatures to verify 
for lists that unhelpfully strip the original signature

I see a lot of anecdotes and speculation going on here and very little 
hard data. This has been going on for at least a year. Since this is an 
experiment, that is very worrying. More worrying is that I can't get a 
straight answer on what exactly the value is of the mailing list's 
auth-res is to filtering decisions. That seems to be the lynchpin to all 
of this, but from what I'm seeing it's like an article of faith.