From what I can tell, the main thing that ARC is doing is binding an auth-res to a dkim signature-like thing. But as I recall -- it's been a long time -- there were ordering requirements ala received headers for where new dkim-signatures and auth-res go in the header. Assuming my memory is correct, that means you can reconstruct "what this looked like before i messed with it" already by signing the incoming auth-res as part of the new DKIM signature.

Is there something more going on here?

Not really. There are ordering rules but mail systems do not follow them reliably, DKIM signatures in practice are not ordered. Also, A-R can be deleted in some situations, so ARC makes copies of them to be more robust in transit.

Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Reply via email to