> On May 6, 2022, at 8:14 AM, Luis E. Muñoz via mailop <mailop@mailop.org> > wrote: > > On 6 May 2022, at 3:48, Dan Mahoney via mailop wrote: > >> If you’re already doing DKIM and SPF anyway, arc is another milter in the >> chain that gives you that benefit. (You want it after your DKIM and DMARC >> validators). You can leverage your same DKIM keys to use arc (or a different >> one), but it’s largely the same idea. Right now nobody is validating arc, >> but this is largely because nobody’s signing/sealing with it…because nobody >> is validating it…because nobody is signing/sealing with it….someone needs to >> move first. > > I think there's slightly more at play. Besides "trusting" the big ones, how > would gushi.org know that it can trust libertad.link's ARC signatures? Or > posed in a different way, what prevents spammer.co to make a false > attestation to send spam made to look like it was sent from some innocent > bystander?
You’re correct here. If you’re the i=1 arc sealer, and you apply an arc-seal and arc-authentication-results header that says, in effect, “yup, looked good to me at the time”, things will still validate, unless you drill down into the message and look at other things that were broken in the way forwarding is known to. At that point, you can no longer validate the original DKIM signature (because the signed headers have been modified). Gmail has no purported cause to trust my arc-seals on my little Vultr vm that’s handling my personal mail, but at the end of the day if I’m applying those seals, and someone else isn’t, I see my stuff as less likely to be dropped than the guy who isn’t. Doing the work to set up the sealing as a “best practice” feels reasonable(*) What arc DOES purport to do, is makes *forwarded* (or third-party-handled) mail obvious. It changes it from “unvalidateable” to having at least one mechanism, which at least has a traceable path. We hope. I happen to run a major listserv, and I’ve turned it on. In a system with lots of first-mover-disadvantages, I’ve made my move. A 2-line question from gmail to bind-users now has headers for days. :) -Dan *(I’ve seen stuff you people wouldn’t believe. Over the years, I’ve had _adsp records, _domainkey policy records (i.e. domainkey with no selector), SPF (sometimes in addition to TXT) DNS records, hashcash signatures on my mail, experimenting with GPG-signing all mail, hell, there was even that one site that made me embed a haiku in my mail headers. I’ve set spf -all and still got forged mail blowback. This is totally whack-a-mole, hilariously in a world where I get more b2b spam to info@dayjob *from* the big three freemails) > > How do we make this scale? > > I think the response to those issues are in part the cause for the loop you > cleverly explained before. > > Best regards > > -lem > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
