On Mon, 21 Aug 2017, at 10:04, Hector Santos wrote: > On 8/20/2017 7:47 PM, Bron Gondwana wrote: >> On Mon, 21 Aug 2017, at 09:34, Hector Santos wrote: >>> On 8/18/2017 8:53 PM, Bron Gondwana wrote: >>> >>> ... >>> >>> And the message still arrives at receiver with a valid ARC >>> chain, just >>> via badsite.com instead of site3.com. >>> >>> >>> The same receiver? If so, wouldn't this be a duplicate message when>>> the >>> same receiver can see the same 5322.Message-Id? >> >> There is nothing stopping you changing the 5322.Message-Id - it's not>> >> encoded in the AS or AAR. > > It is protected by the original DKIM-Signature. Message-Id is pretty > high on the recommended hashed header list. > > But if the original DKIM signature was lost, all bets are off and > nothing else matters unless ARC is attempting to replace DKIM which > you just illustrated it is quite easy to create alternate paths, even> when > its not all to the same final destination.
Right - so how exactly does that help, given that you've modified the message since then? You could easily change the message-id at the same time. If the original DKIM-Signature still passes then sure, you can't modify anything. But then you don't need ARC anyway. If the DKIM signature allowed you to tell that some of the protected headers were unchanged while allowing others to change, then it would mean something - but the whole point of ARC is for when DKIM doesn't validate any more, and if DKIM doesn't validate any more then the message- id can be spoofed too. Bron. -- Bron Gondwana, CEO, FastMail Pty Ltd br...@fastmailteam.com
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
