IETF Logo Mail Archive

Re: [dmarc-ietf] ARC questions

Brandon Long <blong@google.com> Mon, 23 November 2020 19:50 UTC

Return-Path: <blong@google.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0096F3A0DAC for <dmarc@ietfa.amsl.com>; Mon, 23 Nov 2020 11:50:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.699
X-Spam-Level:
X-Spam-Status: No, score=-15.699 tagged_above=-999 required=5 tests=[DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8NkhBEBwpaZ4 for <dmarc@ietfa.amsl.com>; Mon, 23 Nov 2020 11:50:00 -0800 (PST)
Received: from mail-ua1-x934.google.com (mail-ua1-x934.google.com [IPv6:2607:f8b0:4864:20::934]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6901B3A0DAB for <dmarc@ietf.org>; Mon, 23 Nov 2020 11:50:00 -0800 (PST)
Received: by mail-ua1-x934.google.com with SMTP id r23so6059123uak.0 for <dmarc@ietf.org>; Mon, 23 Nov 2020 11:50:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VayGHdhMaNcxuLtKeWBv9pgQHX/0m0ophukUUKfgk2A=; b=A/AJOyKwScxB/UQNHZYqI0Vpm8hS8st5lTsT/1zDor8ZmQ9/OWHwEaSk/a0wptSXJL JJpyGkqpmwnYMkB73z4Yh2oPySD3LOMCkyGfBUZfTrEfSbidZmnofh8kButAkXpM/eb4 bpbnmrawEfL9PcuWAlykot41QJM+ylRjNmRzdSlDYGZysO4KgQDaaM6gFSgPf32XIeul nzOP+VZaXIfQdZL9lNHczvTZxdISL7bziqlx0wMY3milWcUoMYjmxgpHP5BDP6ruPtGA dwFc42QYN4uSig10Orfov6DPZfsuMKIz3l2voSVy5+C3R/vijfJ88a3y54wMPNaRwUUp 6NSQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VayGHdhMaNcxuLtKeWBv9pgQHX/0m0ophukUUKfgk2A=; b=PhxaP+IisNOgo646zI8EE56dVhzQi6E9a7PB70yUn7ffTxHBKVhF3yRVGb/rfpTjc3 CLRVj9qNavwnxa8H9UJtm+4DGUNSPl0Rn/YyBIUGhnvlpbQjHbfykg2H0I6AYAWb34Uq I2T9glDE9IQZZ6uilhtbjOivbz/fgB1tZq3RlIrd8Xk5cJpToh/v5XnwqpvbmRZEqcPD 92U3JuBx+YxRgNnx14UP3SPrVeIzU/MvPx/Xc6C6+88NRAgZKVVkC24o6NolVBxXp6dz bzM7l3t/FrZrcTuMS1idZpTv0uk36JQ+Oun0F+atHvcL6xNFoWZxogDP3YB0tFS6jVNB Cf4A==
X-Gm-Message-State: AOAM532WLw9GHoBCaGBVCTaVnt+rEELkOS3XBjlDlsk3VubX3UG6zq8p Ii+xlYtb+WAiZ+LXlSVET0kpMBC96va5nmQ03Lt1
X-Google-Smtp-Source: ABdhPJxTy7h+u4sRyMPSO6mG3BBs1L+7fGQS7RBEAr64iKLUXEA9IMBO4vkSscHvdjyRgB2eoRXXIa/Xza64huZl+Xs=
X-Received: by 2002:ab0:21da:: with SMTP id u26mr1167959uan.92.1606160999342; Mon, 23 Nov 2020 11:49:59 -0800 (PST)
MIME-Version: 1.0
References: <dcc265f9-a143-5093-eba0-94ee059c7cc7@mtcc.com> <20201122021417.B5E6E27B3E59@ary.qy> <CABuGu1pX=5ZC4RLsv19qrosRN9nCrPdeSk5Xg4O7ViEZit6dnA@mail.gmail.com> <453c4db4-fc62-dc76-5b15-707623d66f9f@mtcc.com> <64f18b-ae8-8c15-3d33-ff2d864c35bc@taugh.com> <884541e6-5076-7f8f-d1d2-d68ea9c5a2bc@mtcc.com> <8fa2d88c-55df-aa8e-932f-8f7bc97d741@taugh.com> <77854271-296a-b4f6-202e-c085036289d4@mtcc.com> <feac41f-6144-2e21-c3fa-2b7770bfeefc@taugh.com> <30ecfcdf-a90a-7e1d-8241-64df3332089f@mtcc.com>
In-Reply-To: <30ecfcdf-a90a-7e1d-8241-64df3332089f@mtcc.com>
From: Brandon Long <blong@google.com>
Date: Mon, 23 Nov 2020 11:49:46 -0800
Message-ID: <CABa8R6tQmaLRQe459=2qAEvJNY6_n_NK1DRxve4dwjy6DFuD0g@mail.gmail.com>
To: Michael Thomas <mike@mtcc.com>
Cc: John R Levine <johnl@taugh.com>, "dmarc@ietf.org" <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d1e40405b4cb7f6c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/u3Lq9Y-5k-8f7o5SiOkGQhkkN3E>
Subject: Re: [dmarc-ietf] ARC questions
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2020 19:50:02 -0000

On Mon, Nov 23, 2020 at 11:46 AM Michael Thomas <mike@mtcc.com> wrote:

>
> On 11/23/20 11:28 AM, John R Levine wrote:
> >> From what I can tell, the main thing that ARC is doing is binding an
> >> auth-res to a dkim signature-like thing. But as I recall -- it's been
> >> a long time -- there were ordering requirements ala received headers
> >> for where new dkim-signatures and auth-res go in the header. Assuming
> >> my memory is correct, that means you can reconstruct "what this
> >> looked like before i messed with it" already by signing the incoming
> >> auth-res as part of the new DKIM signature.
> >>
> >> Is there something more going on here?
> >
> > Not really.  There are ordering rules but mail systems do not follow
> > them reliably, DKIM signatures in practice are not ordered.  Also, A-R
> > can be deleted in some situations, so ARC makes copies of them to be
> > more robust in transit.
> >
> If auth-res is sometimes deleted, why wouldn't we expect the arc
> auth-res to not be deleted too?
>
> I imagine that the vast majority of intermediaries that break signatures
> number exactly one extra domain, so it's not very hard to reconstruct
> the chain of custody from origin to destination. Assuming the
> intermediary resigns with the incoming auth-res, the destination can
> choose to believe that auth-res or not, right? Since this is an
> experiment, do we have an idea of what the rest of the problem is after
> the typical mailing list-like signature breakers are excluded?
>

No, as in the RFC says to remove them, so it's a standard part of
implementation.

RFC 7601 4.1:

> instances of the header field that appear to originate within the ADMD but

are actually added by foreign MTAs will be removed before delivery.


That's very different than "just maybe it might be removed"

Brandon

v2.23.0 | Report a Bug | By Email