Re: [dmarc-ietf] ARC questions

Brandon Long <> Tue, 24 November 2020 23:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0982A3A03EE for <>; Tue, 24 Nov 2020 15:25:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5nOsTsD06mgu for <>; Tue, 24 Nov 2020 15:25:07 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::e2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0C2E53A02DC for <>; Tue, 24 Nov 2020 15:25:07 -0800 (PST)
Received: by with SMTP id m16so223707vsl.8 for <>; Tue, 24 Nov 2020 15:25:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vtsP6+5wY3foiFxCRzGKxe/cBPmQNHkHkrOa+vfUSGc=; b=FlHxPQOEDUlgDzcE/meXD/0Gw3wF3boUaB80vaI3+pGlTsbKtDJPFvYxmXVDZ/kSQy eFCwMAqS3k6MMg1S9hnBzTmKZL2XOwUOyRhitlwtt9cIEtpqjZNkxxcA05dAXxLbC7tC 3chQfgYqKfiuQC/HmopduTxuLmO9o0L7bM3A3EtEVAOlC+WL9N7v7/6rwnpz695Cr2j0 KkM4U/6PwkWmlutzC3pVO2cv9LpMorSDTvTXjuwpQ3AGiMphB/B13gueDnq4sXYzNj9P 77DGo8eLaDYms5J+Maj+EWXjCGPzr2OgVcdAdm9+qV+ik1qfEI4B02eeLayDbo4RVjHH VIpw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vtsP6+5wY3foiFxCRzGKxe/cBPmQNHkHkrOa+vfUSGc=; b=J1zbhcAGvmnlr3UO9Zn7fFWtK7ZhV+Z5PUM7LIFW6V7phAThwt312NezMZhQi7/RC0 O1FU7gXYmwHrvEHXBOG+oBhkjxBXTmX3VcBhofjQhsdAaNLJLB/ua0Wrfr0OgzcsQ7qB DcVs67vrclUa1+atYnFgtzi205kxH56GIz3v27hEXjgYAZmeTfsE7S1Jh4QrAbx0U1Aw uPpJqW2iTwodJudJ3dcd+2tYiW7pgc9PUuElYP+ABQEVZgUQDv2x0ET3iHiF3teCcuv5 +iM4pPMFBScUdSt4ENfAebtyj/06m7lJwcNCOSILqMYCCQCInqhJyz4e+spGlMK7d70e K9ew==
X-Gm-Message-State: AOAM5322s3Pk6ORf+zJ8mT0bJykey9OFTlE7PZYuTMoyp7Ec3PZAbGI0 QQRPzWQIMLEn+56daNJ0AACcY9zgKcDh9uuu1D/L38ymCQ==
X-Google-Smtp-Source: ABdhPJx7YLTIt16LaeboQ0/T/OU+b//6o7vQ42khgGS5UaFK0Crm2mYTZdqA4ZmfVQ2Wp5/VRS42qxyTxvu4ovz6ZxE=
X-Received: by 2002:a67:df8b:: with SMTP id x11mr403818vsk.37.1606260305638; Tue, 24 Nov 2020 15:25:05 -0800 (PST)
MIME-Version: 1.0
References: <20201124020453.AFDC027CE5C8@ary.qy> <>
In-Reply-To: <>
From: Brandon Long <>
Date: Tue, 24 Nov 2020 15:24:52 -0800
Message-ID: <>
To: Michael Thomas <>
Cc: John Levine <>, IETF DMARC WG <>
Content-Type: multipart/alternative; boundary="000000000000efbb4b05b4e29e61"
Archived-At: <>
Subject: Re: [dmarc-ietf] ARC questions
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 24 Nov 2020 23:25:09 -0000

On Tue, Nov 24, 2020 at 2:49 PM Michael Thomas <> wrote:

> On 11/23/20 6:04 PM, John Levine wrote:
> > In article <> you write:
> >> What I'm struggling to understand is what having authenticated auth-res
> > >from a previous hop helps. this is what i found:
> >
> > See some of the previous messages. My usual example is a mailing list
> > message that fails DMARC at the final recipient but passed DMARC (as
> > recorded in AAR) when it arrived at the list. This lets the final
> > recipient distinguish between real messages from subscribers and mail
> > from spambots that happened to scrape both the list address and some
> > subscribers' address and sends mail to one pretending to be from the
> > other. (That definitely happens, I've seen it on lists I'm on.)
> >
> > I agree that the ARC document does not do a great job of explaining that.
> >
> >> It would be kind of nice to understand what gap ARC actually plugs and
> >> why it's important if you ask me. Also: there seem to be a lot of ways
> >> to achieve this, but this one is probably the most complicated one that
> >> I can envision.
> > If you want to pass the A-R results through multiple rounds of
> > forwarding, you can't do much less.
> Sorry, changing the auth-res to old-auth-res and dkim signing the
> message would be completely sufficient, and far easier to understand
> with a lot less bloat. All of this hand wringing about dozens of message
> manglers in the path before it get to the destination and not be able to
> figure out which auth-res was which seems wildly out of proportion for
> what the normal case is: 1 message mangler in the path before it arrives
> at the receiver's domain. Just like this message right here. That's why
> I asked how common that was, which was dismissed, but not answered.

Note that this was exactly what we started with,
and with Google's implementation signing that with X-Google-DKIM-Signature.

Our version didn't just sign with DKIM-Signature because of the reasons
already stated in this
thread, that our understanding of how DKIM-Signature was being used made it
a poor choice.

Our experience also showed that more than one hop is quite common in
enterprise deployments,
and those are also the places where the most complexity arises.  Others
shared our experience
as well.

You say that your message had 1 mangler in the path, but really you don't
know that.  It is
likely that some people on this list are on enterprise accounts who are
behind mangling inbound
gateways (rewriting urls to go through safety checking hops is common, for
example).  Or maybe
they are on with University accounts using exchange but forward their mail
to a personal or department
gmail account.

It may be that ARC is too complicated, that other, simpler, solutions would
have worked for 90% of cases
and would have been better than what we've got (From rewriting), and that
the real pain for receivers having
lots of hops should be borne by those receivers.