Re: [dmarc-ietf] ARC questions

[Todd Herr <todd.herr@valimail.com>]

On Mon, Nov 23, 2020 at 9:50 AM Joseph Brennan <brennan@columbia.edu> wrote:

>
>> On Sat, Nov 21, 2020 at 7:14 PM John Levine <johnl@taugh.com> wrote:
>>
>>>
>>>
>
>> This also means that ARC isn't useful if you don't have a reputation
>>> system to tell you where the lists and other forwarders that might add
>>> legit ARC signatures are.
>>>
>>
>>
> And if you know which hosts are legit mailing lists or forwarders, you
> already know what ARC would tell you.
>
>
I believe, though, that the intent of ARC is that it be scalable in ways
that manual enumeration of known legit mailing lists and forwarders is not.

Standard authentication protocols (SPF, DKIM, DMARC) are fine for direct
mail flow. When the message arrives at its destination, the receiver can
check authentication protocols and apply handling rules for a message based
on its past history with the authenticated identities associated with that
message.

For indirect mail flows, messages might not pass such checks at their final
destination, but it's possible that they did pass those checks on an
intermediate hop. As Michael said in his original post,  ARC 'allows
intermediaries to say "this is
what it looked like to me at this point [and before i messed it]".'

The question with ARC then becomes, does the final destination trust the
results reported in the ARC header set(s), and it's kind of a complicated
question. If I as the final destination trust the ARC header set(s), I'm
saying that I believe the reported results with no real way to
independently verify the results, meaning that I can't do direct DKIM
validation or SPF checking using standard tools; if I could, there'd be no
need for ARC.

I suppose that an approach to building up an ARC reputation might be one
where over time a receiving site can compare indirect mail flow that is
purported to have X as an authenticated identifier with mail that comes
direct to the receiving site with X as an authenticated identifier. That
is, if direct mail with X as an authenticated identifier generally hits Y
on my internal reputation scale, does indirect mail that is ARC-signed by Z
to have X as an authenticated identifier also generally hit Y on my
internal reputation scale? If so, great; I can trust Z as an ARC signer.

The devil is in the details, though. If mail through Z doesn't generally
hit Y, then what explains the variance? If it's for most or all values of
X, then it's probably because Z is a bad actor. If it's hitting Y for most
values of X but not for all, is it because those particular mail streams
are ones that are still legitimate from an authentication perspective, but
aren't of the same quality due to reasons, or is Z engaging in some
elaborate scheme using valid mail as legit shields to get its nasty payload
through in the noise? If variances can be dealt with in a way that doesn't
require too much manual intervention, then perhaps there's hope here. Even
at that, such a system would need to be bootstrapped with some list of
manually enumerated known good intermediaries, but over time it could
theoretically grow organically based on data collected.

I don't believe the above challenges are insurmountable (says the guy who
hasn't had operational responsibility for a mail system in over a decade)
but I'm not in a position to assign the necessary resources to solve this
problem at each site that has an interest in doing so.

-- 

*Todd Herr* | Sr. Technical Program Manager
*e:* todd.herr@valimail.com
*p:* 703.220.4153


This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.