Re: [dmarc-ietf] ARC questions

Michael Thomas <> Mon, 23 November 2020 22:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CD8723A134F for <>; Mon, 23 Nov 2020 14:04:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.25
X-Spam-Status: No, score=0.25 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id m4Ovpg8xKVtB for <>; Mon, 23 Nov 2020 14:04:27 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::635]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 55E7F3A134D for <>; Mon, 23 Nov 2020 14:04:27 -0800 (PST)
Received: by with SMTP id t18so9577040plo.0 for <>; Mon, 23 Nov 2020 14:04:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=eQFHYmQy1AiCEsCizLiXazaLaGFTJpUzaVThKvfxj9s=; b=Vk4kpVnvLnhztUDOvbapVl14Pj5hTIu3BuBBFr2GBEt54fIB3yqS8RHb3xib+Slflz vO+oOnbERGJuaPcnqq12+wJytt41qrjChCayuz1Deww7s1w2DJnFMORg8Q9TEQMy/86J uvv+ilaMgfuQMnV903BvLmpecQ7lWLBhp9vjTHS1icTzBK8V9SBsuJZyoR+i2UTpTmfP cH8Y3O5GE5Vmbfbjdafv4upMd/G3oKSA843TLqgE4WbimBYYyzTtrwDBbxbJ/a3/HWgq lDFU4t9fAjAUzTVQIaLDz6FmqTZzOBhiHOc8iqVl37/IA8uv0WxTWyhRVc46vm/ZihlY 8CCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=eQFHYmQy1AiCEsCizLiXazaLaGFTJpUzaVThKvfxj9s=; b=mxprv1VvCdOnQg17bbjOOSahGpuLcysUWNsXz1oLTOLo9az6QY90iYxjw698MDePLv zW8Nf/PoR8+ZNLfqJ7QvrsGt8FRG1uwWZJK4ijBLDeb6IDGr2opjrhn1rwZR0D1N6svq elki6fAYUrNgLVWDwHRPcKE7o1vx+o7YTFAPwuHnky8gf3c6gPh9luHU1dHpCulCl0wC c6Zm+Xk1NU6WSGoz1EQHa1h5+9sD4gJDPctKA5E++ayi1eal6l8IkJrkhygvehW2ZlbL A4AV7pbKOzl6XGeXTDt38UcVWYNaP4NV8mKhFquPpAc1VXJPcAh1E+wv33lcLMRGMKwK uing==
X-Gm-Message-State: AOAM531zp5vYEFkprSdBLYehYGXO3pO6CBgKCjLpQA2IcfG61RHJT0Gf xwTREJP3kyb2l3KhyWINQiHcxeXzwL6wYw==
X-Google-Smtp-Source: ABdhPJxfGRs8up/z1VPOEAAi8AeKz8QIWsXz52YY+z/CeCibQEdYhnTb8/OydGAeV1RxRi2FwJpJXw==
X-Received: by 2002:a17:902:9a0c:b029:d6:c6a3:66f with SMTP id v12-20020a1709029a0cb02900d6c6a3066fmr1311207plp.52.1606169066342; Mon, 23 Nov 2020 14:04:26 -0800 (PST)
Received: from mike-mac.lan ( []) by with ESMTPSA id 85sm2953857pfv.197.2020. for <> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 23 Nov 2020 14:04:25 -0800 (PST)
References: <> <20201122021417.B5E6E27B3E59@ary.qy> <> <> <> <> <> <> <> <> <> <>
From: Michael Thomas <>
Message-ID: <>
Date: Mon, 23 Nov 2020 14:04:24 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.4.3
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------37AF7787E71271789491BC20"
Content-Language: en-US
Archived-At: <>
Subject: Re: [dmarc-ietf] ARC questions
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 23 Nov 2020 22:04:29 -0000

On 11/23/20 12:48 PM, Dave Crocker wrote:
>> This recent article also goes into things that DKIM signatures imply:
>> <>
> The level of condescension, ignorance, and error throughout that 
> article is impressive.  Given that it was written by someone whose 
> profession requires extreme care about complex matters, the level of 
> carelessness in the article is especially unfortunate.
> Conveniently, he put his biggest error in bold font:
>      "*DKIM provides a life-long guarantee of email authenticity that 
> anyone can use to cryptographically verify the authenticity of stolen 
> emails, even years after they were sent."*
> DKIM does no such thing.

Yeah, that was pretty bad. "DKIM can be used to verify a piece of mail 
due to operator practices, but there are absolutely no guarantee that a 
signature will verify in the future due to those same practices."

> ps. making sure that DKIM signature become invalid  relatively soon -- 
> I think that removing the keys is simpler and just as effective as 
> publishing the private keys -- seems like a reasonable suggestion.
Stephen Farrell is threatening to write an ID on the subject of 
publishing private keys. Frankly the stakeholders -- providers and users 
-- are not very well aligned on when where and why a provider would do 
such a thing. And writing an ID to say how to invalidate key when just 
unpublishing old selectors when you rotate keys is an easy second best 
shows that inertia is the actual issue, not the technical shortcoming.