The real quirk is that Microsoft is using ARC for something for which it
was never intended. I am open to fixing ARC to support what they want to
do, but their current implementation only exposes how easily an attacker
can misuse ARC to "authenticate" his own stuff.
If ARC is to be used to add
Welcome back, Hector. ARC has important differences from ATPS.
ARC allows a forwarder to request trust from an evaluator, depending upon
the level of trust that the evaluator is willing o grant to the
intermediary. The originator is not involved. The evaluator may be able
to use ARC data to
Seth, your link led me to this link:
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dmarc-configure?view=o365-worldwide#how-microsoft-365-utilizes-authenticated-received-chain-arc
Which says,
"Microsoft 365 currently utilizes ARC to verify
Wouldn’t it be far easier to add the trusted 3rd party domains in some DNS
table or lookup, ala an ATPS-like protocol? The RFC5322 ARC overhead is
horrendous. Never mind the complexity evolved to implement.
> On Mar 24, 2023, at 7:17 PM, Seth Blank wrote:
>
> Microsoft is using ARC quite
There have been noticeable quirks with the method that Microsoft has
attempted ARC implementation (regarding outbound sealing).
For enterprise/business tenants, these customers have full control over
their mail routing (such as, say, sending outbound mail through a third
party spam filter or
Seth Blank skrev den 2023-03-25 00:17:
Microsoft is using ARC quite heavily, and has reported on this list
and at M3AAWG of the impact it makes
Microsoft even has on their public roadmap that tools are being built
for their customers to enable per-customer sealers that they choose to
trust:
Microsoft is using ARC quite heavily, and has reported on this list and at
M3AAWG of the impact it makes
Microsoft even has on their public roadmap that tools are being built for
their customers to enable per-customer sealers that they choose to trust:
On 3/24/23 3:48 AM, Douglas Foster wrote:
Do we know if any entity other than Google is successfully using ARC
as an evaluation tool?
FWIW: In late 2021 a "German company" reported that it was able to
"recover" about 10% of messages that had failed other authentication
checks by
This question is mostly for the chairs:
Does completion of DMARCbis have any dependency on whether ARC is
successful or not as an evaluation tool?
Do we know if any entity other than Google is successfully using ARC as an
evaluation tool?
Doug Foster
