Re: [mailop] Microsoft Announces Tenant Trusted ARC Seal

Mon, 20 Jun 2022 10:10:39 -0700 


On 6/20/2022 9:05 AM, Paulo Pinto via mailop wrote:

 >ARC is motivated by the cases where DKIM/SPF/DMARC information about the
 >author/originator get broken.


I'm truly trying to find a justification to break DKIM/SPF on a message 
after it is sent.



SPF is designed to be extremely fragile.  It breaks when even simple MTA 
relaying is done through an MTA that is not pre-registered in the SPF 
record.  Such relaying has been an essential part of Internet mail since 
before there was an Internet.  SPF was designed after this entirely 
reasonable behavior was well-established.



The word 'justification' is probably awkward in this context, but the 
technical and operational details here are pretty simple.



DKIM was designed with an expectation that the basic message -- the part 
used to formulate the DKIM signature -- will not change.  That's a 
reasonable assumption for a single posting/delivery sequence.



Mailing lists create multiple such sequences before 'final' delivery. 
Mailing lists can and do do all sorts of things to messages that wind up 
breaking the DKIM signature. They always have.  Mailing lists, too, were 
well-established before there was an Internet and long before DKIM was 
developed.



These technologies were designed to work properly for only a subset of 
entirely reasonable email handling activity that has always existed.




SPF -> You should be aware of all the servers that can be involved in 
the message transaction 


No, actually you shouldn't.  It's a requirement that doesn't scale.



DKIM -> The message should only be signed after it is complete and 
leaving your controlled environment. Any modification to the message 
afterwards is tampering and should not happen.



See above.  DKIM is for a single posting/delivery sequence.  Mailing 
lists entail multiple.  Mailing lists operate at user-level, not the 
transport level. User-level software can and does do whatever it wants, 
prior to (re-) posting and always has.


d/
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

























					Reply via email to