On Sat, Jul 28, 2018, at 03:29, Seth Blank wrote: > On Fri, Jul 27, 2018 at 10:21 AM, Murray S. Kucherawy > <superu...@gmail.com> wrote:>> On Fri, Jul 27, 2018 at 8:35 AM, Seth Blank >> <s...@sethblank.com> wrote:>> >>> The verification algorithm is straightforward. If you receive a >>> chain that ends with cv=fail stop your evaluation, you’re done. >>> There’s no separate validation path here.>> >> >> Then why bother signing anything when you affix "cv=fail"? > > Because adding your ARC Seal over the chain guarantees that the > receiver has a complete list of everyone who modified the message up > until the failure. No, this is wrong. I have detailed why this is wrong many times. A single cv=fail means that there's no proof that the entire previous chain isn't just a valid set of ARC headers picked up from somewhere else with the serial numbers filed off and the entire message replaced with something else. The only thing your ARC Seal will validate is your own ARC-Authentication- Results header - which isn't nothing (it could contain the IP address that you received this message from) - but if SPF / DKIM and ARC are all fails in your Authentication-Results, any earlier ARC and DKIM headers have no provable causal relationship with the rest of the message you received. Bron.
-- Bron Gondwana, CEO, FastMail Pty Ltd br...@fastmailteam.com
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc