On Wed 19/Apr/2023 15:50:54 +0200 Benny Pedersen wrote:
Alessandro Vesely skrev den 2023-04-19 11:09:
if all maillist did arc on incoming mails before mailman scraped dkim then
all will be good, only left is dmarc is not in all places tests arc results
It is all too easy to spoof an ARC chain offering false authentication
results.
ARC chains is untrusted by default, where is the problem ?
Just pointing out that "if all maillist did arc on incoming mails before
mailman scraped dkim" then that is not enough.
Allowing ARC to override DMARC result requires the ARC
signer to be whitelisted.
whitelisted is not right word for it, its either trusted or untrusted
Yes, I meant to say a site can make a list of all the ARC-sealers they trust
and call it a whitelist.
Now, one can object that whitelisting could be done by DKIM, by SPF,
by DNSWL, without the need to introduce a new, long-winded protocol.
However, ARC brings a couple of advantages:
1) In case of multiple forwarding steps, ARC delivers an ordered and
cohesive chain which is easier to verify than a messy mass of DKIM
signatures.
recipients should only care of dmarc, not dkim/arc/spf fails
to make this work dmarc must trust arc
Here a lost you. DMARC is a protocol. It cannot give credence or believe. It
can pass or fail. It is receivers who can trust an ARC chain and override
DMARC results; that is, allow the message even if dmarc=fail and p=reject.
Best
Ale
--
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
