Re: [dmarc-ietf] ARC questions

Douglas Foster <> Wed, 25 November 2020 03:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BE5F93A0E6B for <>; Tue, 24 Nov 2020 19:27:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kEk9xJJ0MaFQ for <>; Tue, 24 Nov 2020 19:27:12 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::e32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9CBAD3A0E54 for <>; Tue, 24 Nov 2020 19:27:12 -0800 (PST)
Received: by with SMTP id l22so481005vsa.4 for <>; Tue, 24 Nov 2020 19:27:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=qbXXO2FDgwjPLBdufR4wIswDdXsONQZapWfb+CvxZV4=; b=a8Ypo6L+lOVM9HIef/Vs6J3IdKaFS47AeSm1aDQFf3KtsP4NH0vXgUz82ffMi/+EgL IxL/VrnCu68ZQSpW5J13058K/73DGRKEs5NHdxSLOYsy+EYHrDzSi2wFpVHQ7xspvDWM LllGxw5Kbqb7WL5hH3YITnXSk3SlzsoQVoBDKqvVebcAFdeIhgw5eidzSIymCy9wWJ4v 9aCNowPq968ksbNlYFgf8TehGf3RZFx0ImJ8MpAAiQg3lKvB1esaPbuR0jSiBb5JEBr/ kxwKMAiD9/9Pz5D+whbZMEJ9dUAS32nf7lhaB8okEuJZ95T0KqdIYHJ5Y1/qzWfmb6o7 mgAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=qbXXO2FDgwjPLBdufR4wIswDdXsONQZapWfb+CvxZV4=; b=Bzjn/HNbT2csGrtBlo00K+3s1JBzhflDmcVv6BPfRs+AeNqzGlrVHsUhx4ZQeX1Ey+ Sd1ZkDFUCtMnO5ZgCfDzXZ4HCEkSNQoI96VbzJ//WKS/i7Sd8Z5m1AhIP/XAVmpEj5To S61Vz3dFjvg0aI10S3tDrYSD7nrvd6G+eeiCKtOPWiSEMkECluf2YYsCrUeeIJZlZTLn dCsGZFbtxiL79xVVQ6a5ZRyWM+P9cIepOubOjEF4tch1ce1u94QI5M6EgBBwgv9IDHiR EPTbDJAVjgKSowstBwwuCMfEidpZBd+x5fGSEGGR9V7YwmDSHSxZtSfEl64frxWTh6Pu nZXQ==
X-Gm-Message-State: AOAM5313GqjnrRRFknD3ilvpWyxTqug2DWal/Fb12kluFc9Xog40FRJ4 09A/gRgc1cb4QHu3EOoZ0V7W+KUTRUPZhjjIotw=
X-Google-Smtp-Source: ABdhPJxliinAWmudK71OW2hq4T+lxHgDLRnIJavnKG6/feGqO9VdAZDT/N6l8qwefWhZD2CelkYMO5Swsj97VKcteqM=
X-Received: by 2002:a67:2084:: with SMTP id g126mr805785vsg.42.1606274830747; Tue, 24 Nov 2020 19:27:10 -0800 (PST)
MIME-Version: 1.0
References: <20201124020453.AFDC027CE5C8@ary.qy> <> <> <>
In-Reply-To: <>
From: Douglas Foster <>
Date: Tue, 24 Nov 2020 22:27:00 -0500
Message-ID: <>
To: Michael Thomas <>,
Content-Type: multipart/alternative; boundary="000000000000b2ccd805b4e600a8"
Archived-At: <>
Subject: Re: [dmarc-ietf] ARC questions
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 25 Nov 2020 03:27:15 -0000

Michael, I think the purpose is stated well enough:   Mailing lists want to
keep adding their content to messages, without being blocked by
recipients.   This means that they have to provide recipients with enough
information for them to accept the forwarded content.   Google and
Microsoft seem to be on-board with this project, so it seems pretty
successful already.   This train is not easily stopped.

As to the technical pieces:
- Unvalidated data, which includes the entire Received header chain, is
only useful for blacklisting.   A spammer will fabricate any header content
that he thinks will get his garbage through your spam filter.

- The recipient filter needs to be convinced that the submitting MTA is not
lying and that the submitting MTA has not been duped.   Digital signatures
are the only tool we have for validating forwarded content.   Since the
goal is favorable treatment, digital signatures are necessary.

- Interlocking signatures are needed to get around the problem of DKIM
signatures being damaged by mid-stream content changes.

As John said early on, this all works in conjunction with private knowledge
that decides who you believe is not lying.   Google and Microsoft have that
kind of data.

In my opinion, ARC does leave a lot of unanswered questions about how you
use the data that ARC provides.   Again, the big organizations have the
brain power at their disposal to figure that out for themselves, later.

It seems like a lot of software logic to create an ARC set, even more code
to parse it, and even more code to use it intelligently.   This is a big
problem if you are trying to write the code yourself, but a small problem
if you have a big programming organization.

The email market is moving to a few large organizations that provide
hosting for most everyone, a few other large cloud services that provide
filtering for much of the remainder, and then everybody else.   Smaller
organizations are stuck with lousy vendor options or custom development,
neither of which is entirely satisfactory.   ARC may not be the right
solution for smaller organizations with fewer development resources, but
80% of the world needs the big organizations to be successful, and the
mailing lists need the big organizations to be accepting of their product.
 ARC seems to meet those important goals.

Doug Foster

On Tue, Nov 24, 2020 at 6:57 PM Michael Thomas <> wrote:

> On 11/24/20 3:24 PM, Brandon Long wrote:
> On Tue, Nov 24, 2020 at 2:49 PM Michael Thomas <> wrote:
>> Sorry, changing the auth-res to old-auth-res and dkim signing the
>> message would be completely sufficient, and far easier to understand
>> with a lot less bloat. All of this hand wringing about dozens of message
>> manglers in the path before it get to the destination and not be able to
>> figure out which auth-res was which seems wildly out of proportion for
>> what the normal case is: 1 message mangler in the path before it arrives
>> at the receiver's domain. Just like this message right here. That's why
>> I asked how common that was, which was dismissed, but not answered.
> Note that this was exactly what we started with,
> X-Original-Authentication-Results
> and with Google's implementation signing that with X-Google-DKIM-Signature.
> Our version didn't just sign with DKIM-Signature because of the reasons
> already stated in this
> thread, that our understanding of how DKIM-Signature was being used made
> it a poor choice.
> Sorry, I didn't see that. Pointer?
> Our experience also showed that more than one hop is quite common in
> enterprise deployments,
> and those are also the places where the most complexity arises.  Others
> shared our experience
> as well.
> That's more than one modifying intermediary in *separate* administrative
> domains? Within your own administrative domain there shouldn't be an issue
> of trust since you can trust your own servers auth-res and that they are
> not maliciously trying to forge an auth-res for better treatment. and
> course it's best to stop a bad message as soon as possible in the mail
> pipeline if for no other reason than why waste the resources.
> You say that your message had 1 mangler in the path, but really you don't
> know that.  It is
> likely that some people on this list are on enterprise accounts who are
> behind mangling inbound
> gateways (rewriting urls to go through safety checking hops is common, for
> example).  Or maybe
> they are on with University accounts using exchange but forward their mail
> to a personal or department
> gmail account.
> Well sure, I'm sure it can happen but is it common enough to worry about?
> And I'm still not convinced that figuring out who signed what and which
> auth-res it belonged to is in insurmountable problem. for one, there are
> received headers which better not be getting out of order to help correlate
> with the messages' path through intermediary verifiers too.
> Mike
> _______________________________________________
> dmarc mailing list