On Thu 17/Nov/2022 00:48:51 +0100 Roland Turner wrote:
On 17/11/22 04:34, Alessandro Vesely wrote:
On Wed 16/Nov/2022 05:35:52 +0100 Roland Turner wrote:
[ARC seals are] Not quite [enough], because they're not usually applied
when a message is forwarded intact. One outcome of the proposed WG might
be to specifically encourage all MLMs to ARC-sign, even if they don't
break the author's DKIM signature, in this case to facilitate path
reasoning in addition to coping with DKIM-breakage. >>
Right. It'd be enough to require SPF pass of the last element of the chain,
besides AMS verification. That proves the ARC chain itself is not being
replayed. To me, it doesn't sound as an exaggerate requirement.
This is only true if the MTA hosting the MLM is the last element of the chain,
which is not necessarily true.
Their SPF record has to account for the IP address of their bastion host.
It is also not the case that a forwarding MTA will always change the return
path. meaning that there can quite reasonably be an SPF failure at this step
for legitimate email.
Indeed, the correct sentence would be "to specifically encourage all /MTAs/ to
ARC-sign even if they don't break signatures." The requirement would only be
needed for blindfolded messages —those whose recipients cannot be derived from
To:/ Cc: fields. However only the MUA, which creates the envelop, and the
final MX, which interprets local parts, can know whether a message is blindfolded.
Best
Ale
--
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim
