On Mon, May 6, 2024 at 12:41 AM Alessandro Vesely via mailop < mailop@mailop.org> wrote:
> > The question is, since Gmail seems to require a DKIM signature just to > make > sure some domain is responsible for the message, doesn't an ARC seal cover > the > same requirement? > The most that ARC can provide in the case where DKIM is required is to say that DKIM verified for hop N if it no longer does. In the more general sense, ARC can also prove that a message transited a certain ADMD. That said, one of the reasons ARC is not DKIM is because the implication of DKIM is that the signer is vouching for the ADMD authorization for the message, but we didn't want ARC to do the same. The challenge with Gmail's new rules and forwarding is that they want you to provide an authentication signal (spf or dkim), but you also don't really know what you're sending, so doing so can result in a negative effect on your reputation. How to square that circle is left as an exercise to the reader. DKIM signing or using SPF would potentially solve that. The flip-side is if the Gmail "dkim required for major senders" message could be talking about the actual source before forwarding, in which case adding dkim or spf at the forwarder won't help. The request then is more like DMARC, looking for some level of alignment between the source and authentication. ARC was designed to help for that case, assuming the message was DKIM signed in by the sender in the first place. Unfortunately, one of the reasons that ARC is experimental is that solving the "trust" part on forwarding is non-trivial.... well, sorta, explicit opt-in of forwarders would work fine. In the case of someone forwarding their mailbox from a to b, having that specific account say "I'm forwarding from A, accept forwarded mail from them" would solve the issue,at the challenge of requiring user opt-in. Even then, at the spam rule level you need to decide on a rule by rule basis whether to accept ARC override or not... you can probably get away with having a general authentication signal that does, and more specific signals that don't, and using the right ones where you need to. Brandon
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
