Re: [dmarc-ietf] A policy for direct mail flows only, was ARC questions

Alessandro Vesely <> Tue, 01 December 2020 10:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4638A3A10CD for <>; Tue, 1 Dec 2020 02:38:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.421
X-Spam-Status: No, score=-4.421 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1152-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bKsjfpy3gDc1 for <>; Tue, 1 Dec 2020 02:37:58 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5D1623A10CC for <>; Tue, 1 Dec 2020 02:37:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=delta; t=1606819075; bh=HBwoI3ZVUDVIVWGkPhVhb0hrIlJyYoe6h0oSfF0BkMU=; l=3350; h=To:Cc:References:From:Date:In-Reply-To; b=BHw12sE3w4XIP+LkuQdwcIeP+TOcH6GIwH8DPzak/B8kUmX4vaOXmaBXdrV/e7lQQ AEL81rTCJJoiriFflx+DY/QDQoH+qq7HfV6B9rFVdwELiPpQG0i83k9KGFR5pVKa4A Kk8CzHVhx278r03uJtKqXI9flMiach0ewRs4artjS2f1JlAr76QB9q/RWSPMh
Authentication-Results:; auth=pass (details omitted)
Original-From: Alessandro Vesely <>
Original-Cc: IETF DMARC WG <>
Received: from [] (pcale.tana []) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by with ESMTPSA id 00000000005DC02A.000000005FC61D03.00002FEE; Tue, 01 Dec 2020 11:37:55 +0100
To: Brandon Long <>
References: <e9166148b9564102a652b4764b4f61ff@com> <> <> <> <> <> <>
From: Alessandro Vesely <>
Message-ID: <>
Date: Tue, 1 Dec 2020 11:37:54 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=us-ascii
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [dmarc-ietf] A policy for direct mail flows only, was ARC questions
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 01 Dec 2020 10:38:00 -0000

On Tue 01/Dec/2020 05:56:46 +0100 Brandon Long wrote:
> On Thu, Nov 26, 2020 at 12:59 AM Alessandro Vesely <> wrote:
>> On 25/11/2020 20:16, Michael Thomas wrote:
>>> On 11/25/20 11:11 AM, Alessandro Vesely wrote:
>>>> On 25/11/2020 19:24, Jesse Thompson wrote:
>>>>> On 11/25/20 11:30 AM, Alessandro Vesely wrote:
>>>>>> Without resorting to ARC, it is still possible to validate author
>>>>>> domain's signatures directly if the MLM just adds a subject tag
>>>>>> and a footer>>>>>
>>>>> I agree that ARC isn't really needed to do this (trust the last hop
>>>>> from the MLM and determine the original authenticity from the MLM's
>>>>> perspective)>>>>
>>>> I didn't mean to trust the MLM.  I meant remove the subject tag and
>>>> the footer, then the original DKIM signature verifies.  See:
>>> When I was at Cisco, with l= and some subject line heuristics I could get
>>> probably like 90+% verification rate across the entire company, a company that
>>> uses external mailing lists a lot. Definitely not 100% though.
>> DKIM itself is not 100%.  You always have lines beginning with "From " or
>> occasional autoconversions.
>> l= doesn't cover multipart/alternative nor Content-Transfer-Encoding: 
>> base64. In addition, the DKIM spec discourages its usage and suggests
>> that "Assessors might wish to ignore signatures that use the tag.">>
> Right, some of the other dkim-light or diff concepts we discussed would be
> better than using l=
> We again got hung up on the 100% solution, though... something that handled 
> subject-prefix and footer in a transport agnostic way might have worked.

I'm not clear about the meaning of "100%".  If an author domain puts no DKIM signatures, there is no way to verify them.  Hence, some compliance of the author domain has to be required.

The same holds for conditional signatures.

The same holds for MLM transformations.

> The fact that DKIM isn't transport agnostic is an achilles heel to even
> that, though, since we'd have to come up with a new canonicalization and get
> it to widespread adoption before the simple diff could work.

As DKIM works in the vast majority of cases (yes, not 100%, but nearly), the idea to discombobulate it for the sake of a meagre set of old-fashioned individuals who still dislike mass social media is a showstopper.  Yet, since DMARC standardization itself avails of mailing lists, we may want to get some coherence.

> Or require mailing lists to be a lot more strict in how they do their email
> rewriting, but I imagine that's harder work than even ARC.

They are quite strict already.  For example, I received the message I'm replying to in both my top and dmarc folders.  Both copies of the message have the correct From:.  The MLM copy was authenticated like so:

  dkim=pass reason="Original-From: transformed" (whitelisted);
  dkim=pass (whitelisted)
  dkim=fail (signature verification failed, whitelisted)

From: restoring is documented here: