IETF Logo Mail Archive

Re: [dmarc-ietf] ARC vs p=quarantine

Alessandro Vesely <vesely@tana.it> Mon, 21 December 2020 17:27 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 964FB3A12B3 for <dmarc@ietfa.amsl.com>; Mon, 21 Dec 2020 09:27:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bfXSZ-nSTl7P for <dmarc@ietfa.amsl.com>; Mon, 21 Dec 2020 09:27:06 -0800 (PST)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A5933A12AE for <dmarc@ietf.org>; Mon, 21 Dec 2020 09:27:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1608571624; bh=gNm12orwdMpxytquFfuf5saAwDTuTZ4p/HjEqSMqVko=; l=1445; h=To:References:From:Date:In-Reply-To; b=CSsEXVzyHjUufZJjlpyPAYzEk3GWYvEhWHGloDYDPB6Ir+SA0hQZUL3JHKeT/quOl b3g5jU6/jL9O97VqMTx2KnDDXiZTgHNrRcXR9ehnyljeZroMz7Coly/0pFhQMlIVcO 96KA8Efx3HrWqGG45wqZTdtOr+IxqEL1iPRbz6cQnM5zHXMPEhvYjxjhf3n5E
Authentication-Results: tana.it; auth=pass (details omitted)
Original-From: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC0D1.000000005FE0DAE8.000066CE; Mon, 21 Dec 2020 18:27:04 +0100
To: dmarc@ietf.org
References: <1e61f7c4-c6d2-5dab-dfc7-f1fd740e1d0d@tana.it> <20201219194954.BF87E2ADF1FB@ary.qy> <CAJ4XoYfx=qRyARbcf7m8T6+_2hJKifgAoBXBdfmqGucanrUJfw@mail.gmail.com> <9b7cc1c9-e031-4ef8-8d92-2c16cc4fa073@tana.it> <dd6c5588-8e84-5f90-931-51b4dd4c27cc@taugh.com> <ceaf2e324f8cf042b1b31621c79d5d59@junc.eu> <a8218ce4-cd73-dec4-44a0-b77eb0546a14@mtcc.com> <496c92bc02e75c2d7b02365d9dd0cf38@junc.eu>
From: Alessandro Vesely <vesely@tana.it>
Message-ID: <8c6c4f7f-4a95-cd2b-306e-83a50dcde385@tana.it>
Date: Mon, 21 Dec 2020 18:27:04 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
MIME-Version: 1.0
In-Reply-To: <496c92bc02e75c2d7b02365d9dd0cf38@junc.eu>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/emu8rSibbSTEQxa1tnTWgX8aUWk>
Subject: Re: [dmarc-ietf] ARC vs p=quarantine
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Dec 2020 17:27:08 -0000

On Mon 21/Dec/2020 01:52:11 +0100 Benny Pedersen wrote:
> On 2020-12-20 23:07, Michael Thomas wrote:
>> On 12/20/20 2:01 PM, Benny Pedersen wrote:
>>>
>>> hopefully maillists stops dkim signing, its the incorrect place to solve 
>>> breaking dkim
>>
>> Sorry, ARC is warmed over DKIM, and an experiment. DKIM is a full
>> internet standard and expressly intended for lists, etc to resign if
>> they broke the original DKIM signature. We have always had the ability
>> to do reputation checks regardless of ARC. I'm not sure when this wg
>> lost sight of that.
> 
> only original senders should dkim sign, rest should only arc sign, i dont have 
> to agre on anyhing other then that, if maillists dkim sign thay try to steel 
> the original dkim private key without succes, and there is possible a solotion 
> to dmarc adsp handling this break
> 
> seeing eitf do 3 dkim sign just to be sure it does not work


For the message I'm replying to, I got:

Authentication-Results: wmail.tana.it;
   spf=pass smtp.mailfrom=ietf.org;
   dkim=pass reason="Original-From: transformed" (whitelisted) header.d=junc.eu;
   dkim=pass (whitelisted) header.d=ietf.org
     header.b=GUNfiCpP;
   dkim=fail (signature verification failed, whitelisted) header.d=ietf.org
     header.b=IIMQxhd+

Two out of three is not bad, is it?  If IETF only did ARC seals, I'd probably 
verified no signature at all —since I don't run ARC checks.


Best
Ale
--

v2.23.0 | Report a Bug | By Email