The real quirk is that Microsoft is using ARC for something for which it
was never intended. I am open to fixing ARC to support what they want to
do, but their current implementation only exposes how easily an attacker
can misuse ARC to "authenticate" his own stuff.
If ARC is to be used to add
Welcome back, Hector. ARC has important differences from ATPS.
ARC allows a forwarder to request trust from an evaluator, depending upon
the level of trust that the evaluator is willing o grant to the
intermediary. The originator is not involved. The evaluator may be able
to use ARC data to
Seth, your link led me to this link:
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dmarc-configure?view=o365-worldwide#how-microsoft-365-utilizes-authenticated-received-chain-arc
Which says,
"Microsoft 365 currently utilizes ARC to verify
Wouldn’t it be far easier to add the trusted 3rd party domains in some DNS
table or lookup, ala an ATPS-like protocol? The RFC5322 ARC overhead is
horrendous. Never mind the complexity evolved to implement.
> On Mar 24, 2023, at 7:17 PM, Seth Blank wrote:
>
> Microsoft is using ARC quite
Count| Bytes | Who
++---
14 ( 100%) | 159741 ( 100%) | Total
4 (28.6%) | 71568 (44.8%) | Wei Chuang
3 (21.4%) | 33298 (20.8%) | Douglas Foster
1 ( 7.1%) | 13727 ( 8.6%) | Mark Alley
1 ( 7.1%) | 12113 ( 7.6%) | Dotzero
1 ( 7.1%) |
