Re: [dmarc-ietf] ARC questions

Dave Crocker <> Mon, 23 November 2020 20:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 668DD3A11F7 for <>; Mon, 23 Nov 2020 12:48:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id eEfzD7CeQsZ0 for <>; Mon, 23 Nov 2020 12:48:47 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::435]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 914B63A11F5 for <>; Mon, 23 Nov 2020 12:48:47 -0800 (PST)
Received: by with SMTP id t8so16079613pfg.8 for <>; Mon, 23 Nov 2020 12:48:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=Iw7QSKPDqt6/55d83mOJrspmYjT4gDLVRyr++qF7Yyw=; b=kxHArBKZ807dtNzeR2F0ldH81TrgPiVXG5KhxHinJLyYf3uyzw45Vk3wp/cn6dYekT RkmWAhdcAVrKLBKbpnTeZOwjisFnnxTZ5dP4O9CW8bZ5N0jgwG1WtgZ3E5Pq74RjmrFn fR9daWbhGmQ83n12bZbJAD9kLIPROF1KK2ofVTIOPDxXLU7zEcKQXfduDxOi8br1sV2Z RwTBgnqsaSz6JAOBgUpanA8e5NwJYawEp2wP98sXsNZ2W3jELYHM6sK39KhPu5Nasfp+ zmHG3fowvSgVxlS+/6Qf8hFN3x8PS+6c4BSCz13AqUKMl1E/47wsJR01l5M0bXW5IRRw oyMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=Iw7QSKPDqt6/55d83mOJrspmYjT4gDLVRyr++qF7Yyw=; b=rIr2KNh8vqSfod+jB7UjeoEx8pNz3mLEPq8/LpWacw70zKIHBSoBb1X5xzG9w6azFf ESJ7LOXKT6cn4pd6+4M/DaqKuEUDzU4IpLL3IFNdIbbDkFv3kNJdG9zHmDCyntRgtgWF pYt3oZSQlExYNCVWalbGQhw1ek4dICtWP4ejS8UlIOyHYR8hkC72WXtWgm0dgzTfYeM/ qSJnUbGGnU0b/jz9Ab+joAjF2pK5SsXKRTpM4qtznn1qKnz3vqgYEjTtOJAHi0FdvPJx ya5OIeXYqoc9S6+zriZIPqqgyys4ujTybCxZRjgGEJ9SEZEPbTznq/WX3diOWkaGFEjg uj9A==
X-Gm-Message-State: AOAM532vqJZqdJcSY0WmUqw132d69lSSPm/IXRnb0mmkMC2FUJ+oWlJp s380cxgWZfnnIYBMmtzqJXKj9WEj+1s=
X-Google-Smtp-Source: ABdhPJyhXY54cGy5HZytJKqSXlU3Xqaw7DlLwsJViB5IbrK2o5FkMNO79cm3QeHvqsq+AuJ4TDw14g==
X-Received: by 2002:a63:1026:: with SMTP id f38mr1006542pgl.181.1606164526641; Mon, 23 Nov 2020 12:48:46 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id a123sm12948662pfd.218.2020. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 23 Nov 2020 12:48:46 -0800 (PST)
To: Brandon Long <>
Cc: "" <>
References: <> <20201122021417.B5E6E27B3E59@ary.qy> <> <> <> <> <> <> <> <> <>
From: Dave Crocker <>
Message-ID: <>
Date: Mon, 23 Nov 2020 12:48:44 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------A91EDDE04B19E6B2273AC11B"
Content-Language: en-US
Archived-At: <>
Subject: Re: [dmarc-ietf] ARC questions
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 23 Nov 2020 20:48:49 -0000

On 11/23/2020 12:15 PM, Brandon Long wrote:
> On Mon, Nov 23, 2020 at 11:53 AM Dave Crocker < 
> <>> wrote:
>     > Yes, of course, a handling agent can do it, but there are plenty
>     of reasons
>     > why they shouldn't.
>     Please enumerate and explain.  If it's that dangerous, we should
>     document it, especially I don't recall that constraint being in
>     any of
>     the design or standardization discussions.
> DKIM often ties a domain to reputation and other anti-spam features.  
> If you
> forward spam to another host and sign it while forwarding, then the 
> other host
> will think you send spam.

Well, ummm... errrr... yes.  That's because, in such circumstances, you do.

More significantly, the signature makes sure that such as an assessment 
will only be made accurately, rather than penalizing you for problematic 
mail that is attributed to you but that you did not handle.

> DMARC ties DKIM to the From header and at least is interpreted as being an
> anti-phishing feature.  DKIM signing mail that you forward could mean 
> upgrading
> a phishing message to passing DMARC.

I don't understand.  The first sentence makes sense to me, but the 
second doesn't.

" passing DMARC only applies if a) the signature matches 
the From: field domain, and b) that domain has an associated DMARC 
record.  But if you don't watch DMARC to apply in that case, what is the 
DMARC record there fore?

> This recent article also goes into things that DKIM signatures imply:
> <>

The level of condescension, ignorance, and error throughout that article 
is impressive.  Given that it was written by someone whose profession 
requires extreme care about complex matters, the level of carelessness 
in the article is especially unfortunate.

Conveniently, he put his biggest error in bold font:

      "*DKIM provides a life-long guarantee of email authenticity that 
anyone can use to cryptographically verify the authenticity of stolen 
emails, even years after they were sent."*

DKIM does no such thing.

and this was quickly followed by the normal-font:

    "The key design goal of DKIM was to prevent spammers from forging 
emails /while in transit/. "

This, too, is not what DKIM does.  DKIM provides a noise-free channel 
for assessing signers, not for detecting spammers.  The difference is 
important; and I claim fundamental.

ps. making sure that DKIM signature become invalid  relatively soon -- I 
think that removing the keys is simpler and just as effective as 
publishing the private keys -- seems like a reasonable suggestion.


> Perhaps this all means that DKIM has been used for more than it was 
> intended for.

"More than" suggests that the use has legitimacy.  It doesn't.

>     >      > Intermediaries don't want to take ownership of the
>     message in that
>     >      > sense, though there
>     >      > are some mailing lists that do.
>     >
>     >     Signing with DKIM does not take 'ownership'.
>     >
>     >
>     > Yes, responsibility is the proper word.  My point survives the
>     word change.
>     I disagree.
>     > DKIM says the domain takes responsibility for the message, while
>     ARC says
>     > the domain takes responsibility for evaluating the status of the
>     message
>     > when
>     > they received and forwarded it.
>     This implies that the word 'some' is irrelevant.  It isn't. And it
>     was
>     included intentionally.
> Automated systems can't really tell how much responsibility an 
> intermediary was
> intending to take for the message.

People who write them can.

> OTOH, they typically are using it only for a certain
> purpose, so they assume that the intermediary took responsibility in 
> the sense that they
> want... or rather, the people who wrote the code do.  Or the 
> journalist writing the story.
> ARC was specified to have a more specific responsibility,

Forgive me but I think that:

>     Authenticated Received Chain (ARC) creates a mechanism for individual
>     Internet Mail Handlers to add their authentication assessment to a
>     message's ordered set of handling results.

specifies a nature and responsibility pretty much identical to what DKIM 
claims.  The enhancements are a) chaining, and b) carriage of earlier 
assessments.  But in terms of 'responsibility', this reads the same as DKIM.

> and as different from DKIM so
> that it wasn't mistaken for the uses that people were already using 
> DKIM for.


Dave Crocker

Volunteer, Silicon Valley Chapter
American Red Cross