Re: [dmarc-ietf] ARC questions

Michael Thomas <> Wed, 02 December 2020 20:13 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EE3513A1550 for <>; Wed, 2 Dec 2020 12:13:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.65
X-Spam-Status: No, score=-1.65 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2ahATtv24AJE for <>; Wed, 2 Dec 2020 12:13:48 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::433]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0F3C33A1568 for <>; Wed, 2 Dec 2020 12:13:47 -0800 (PST)
Received: by with SMTP id o9so1940878pfd.10 for <>; Wed, 02 Dec 2020 12:13:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=R4Fc1Eybq3Tga7SsXo5PIDScEkn3zlnp3jAuzQ0GJiQ=; b=JU+GTAJSNF81FARGXk14F3dvnaPBMlqeTvTV2PGmKuEIEx9vx1y2Qs1r3DxQGuUZIG Bz3+jWW0K+I9y3GREzFIjH7LFbllf+AH8+j0wCTmS455dABN+UNpGN80d3RBx3o6FaTT kMkgtkk284yblkalj+GBawsnNe3Qx2YwL4NJIprsqZ4/vZvOpkgmrxlz72XpSCKIaRfI 53XSC42/FxcNGihsvcFso1x42SBP442613MsHfjyRYodkvzSskPWWiHxJSU74yo1us7Q hDXSKCu2mwIms8HP0GV8q/wwzV1MJ6s4EJ4kolwwtshrvJnuSjOt2zUr51nFljoqR92E 9xNA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=R4Fc1Eybq3Tga7SsXo5PIDScEkn3zlnp3jAuzQ0GJiQ=; b=pZzqVFB22+7ZXL3pxUCSLSBbPQh6aDJ6pXoU8BmgK7aSuoA0zfea9y/b5kOeLoJu4U N8P0Q3BMPs/0JDeMOcNSOkpjVy+s4NUd1eK6nKhtrS/WYMe+O12GDonp31tciGZnHONX e67e3bFNcf7LiCEhhvboTH/ghG0kwmPjem7wWeNbV6ORR/ANVYMBIRftUiaOqo1WXgYb PzyeQd2mSlBsFrN0G5R2a9D+3MEzQGzzTCpkjv1+e+FlDNPHORwBK638Gejesn5LzlF/ L36xA4tXN4K9F/1KbfM9Hkh+vWndXSGd58Ixb+tY2q+5mq7txnhbRfirQCSTRyGF5+Ib 4BYA==
X-Gm-Message-State: AOAM530GmY6oTopLwazQmnTh9FYvn4Ep12RRptqwh9Qfw4C1/MLCf1E+ l/6CxzOE6MY7E70AFWtfVqQi3HtWFySjZQ==
X-Google-Smtp-Source: ABdhPJwZ/Fn0NBOxQV6gv/WOL4qirotOs/cy0cLjO9Pu9bqSKBfECWOGxv9HImy7r4kQPsAnNOdVQA==
X-Received: by 2002:a62:1942:0:b029:197:e232:cfd4 with SMTP id 63-20020a6219420000b0290197e232cfd4mr4142615pfz.53.1606940026946; Wed, 02 Dec 2020 12:13:46 -0800 (PST)
Received: from mike-mac.lan ( []) by with ESMTPSA id l66sm519933pgl.24.2020. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 02 Dec 2020 12:13:46 -0800 (PST)
To: Brandon Long <>
Cc: John Levine <>, IETF DMARC WG <>
References: <20201124020453.AFDC027CE5C8@ary.qy> <> <> <> <> <> <>
From: Michael Thomas <>
Message-ID: <>
Date: Wed, 2 Dec 2020 12:13:44 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.5.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------BDD9B3FB7F2111D02A8AE5C8"
Content-Language: en-US
Archived-At: <>
Subject: Re: [dmarc-ietf] ARC questions
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 02 Dec 2020 20:13:51 -0000

On 11/30/20 9:43 PM, Brandon Long wrote:
> To summarize what I said already in this thread, DKIM is taken by many 
> receivers as the responsible party for a message, in both spam and 
> phishing classifiers, with the latter being perhaps more relevant.
> DMARC is the one example of that.  DKIM signing a message that 
> transits your system allows for reputation washing of the original 
> message.  The ARC chain is specified as a relay responsibility, which 
> is a lesser burden.
> Ignoring the existing usage of DKIM, DKIM+A-R would only work for a 
> single hop, and lead to some complication compared to the other DKIM 
> signatures already on the message.

Wait, what? a DKIM signatures survives until it encounters an 
intermediary that alters the message in a breaking manner. 
Arc-Signatures are no different in that respect. In fact as far as I can 
tell they are identical modulo the i= difference.

> DKIM is not the only thing that can be reputation washed, SPF can as 
> well.  821.FROM rewriting is more common, so there are work-arounds.  
> OTOH, SPF doesn't survive forwarding, but with ARC you can forward 
> it.  DKIM+A-R would only work for a single hop, and lead to some 
> complication compared to the other DKIM signatures already on the message.

>     So <> is now hosted by gsuite (::sigh::),
>     so you're saying that it would run into problems? I haven't put up
>     a DMARC policy, but if I did I might run into issues with false
>     positives? Like I said, I'm trying to get my head around what the
>     actual problems are, and this is coming from a person who stressed
>     mightily from the very beginning about the mailing list problem.
> It's unlikely you have a complicated mail flow involving multiple 
> vendors, but certainly there are plenty of configuration options 
> alllowing folks to shoot themselves in the foot.

By definition a message hitting the front door of the destination domain 
(via an MX record) sees the DKIM signatures in the message and can 
process them at that point, or at some point before other manglers get a 
hold of the message. I don't see why we should care at all about what 
happens beyond the destination domain's front door because that's their 
problem not ours. The entire point of DKIM is the inter-domain case, not 

> With ARC, we can instead say "trust this arc admd" and have the data 
> passed directly, and also work around the DKIM breakage.

But ARC suffers the same breakage with the ARC-Signature. And if the 
ARC-Signature is broken, you can't trust the sealed data because that's 
a trivial cut and paste attack as far as I can see. So I'm just not 
seeing how this is any better than just a plain old DKIM-Signature with 
the old auth-res renamed and signed since you can already for 15 years 
trust signing intermediaries or not.

> As for another comment in the thread about adding two signatures per 
> hop, there was a suggestion that it could be replaced with a single 
> signature per hop near last call with some loss of information 
> (maybe), but it was decided to move forward with the existing solution 
> that already had several implementations and was experimental anyways.
As I said elsewhere, since this is an active experiment and it's already 
been a year, it might be good to start documenting what the experiment 
is teaching us. I still after many messages have no clue what what ARC 
does that DKIM+old-auth-res cannot beyond tying the authres and 
signature together. It would be nice to know in a quantitative way why 
that is important, as well as any other things that cannot be done with 

In fact since I expect that most signature breaking intermediaries DKIM 
resign the messages (and if they don't thay aren't going to do ARC 
either), it would be very simple to chronicle how the two approaches 
differ in efficacy. The same reputation look for ARC can be done for 
DKIM too, after all.

BTW: i can understand not wanting to touch DKIM or AUTH-RES proper for 
an experiment, but a standards track document should really consider 
just adding the binding tag to DKIM and Auth-res. They were both 
designed to be able to do that.