Re: [mailop] DMARC on srs forwarding domains?
Am 02.02.24 um 16:08 schrieb Mark E. Jeftovic via mailop: We're having a bit of a theological debate internally on whether to implement DMARC on our SRS forwarder domains. On 02.02.24 16:26, Kai Bojens via mailop wrote: Skip SRS and implement ARC for forwarded e-mails. This should solve all these problems. Does anyone blindly trust ARC signatures from random domains? I find it a huge difference between DKIM signatures (I sign this mail being from my domain) and ARC signature (I sign that this mail was received from whitehouse.gov properly verified and signed). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Silvester Stallone: Father of the RISC concept. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] DMARC on srs forwarding domains?
Hellow Matus, On Sun, 2024-02-04 at 16:02 +0100, Matus UHLAR - fantomas via mailop wrote: > > Am 02.02.24 um 16:08 schrieb Mark E. Jeftovic via mailop: > > > We're having a bit of a theological debate internally on whether > > > to > > > implement DMARC on our SRS forwarder domains. > > On 02.02.24 16:26, Kai Bojens via mailop wrote: > > Skip SRS and implement ARC for forwarded e-mails. This should solve > > all these problems. > > Does anyone blindly trust ARC signatures from random domains? They(DKIM/ARC) are not distinguishing whether the sender is a good person or a bad person. They only verify that the sender has a legitimate passport. Instead, please use *DNSWL* to determine whether the sender is a good person or a bad person. > I find it a huge difference between DKIM signatures (I sign this mail > being > from my domain) and ARC signature (I sign that this mail was received > from > whitehouse.gov properly verified and signed). Sincerely, Byunghee -- ^고맙습니다 _布德天下_ 감사합니다_^))// ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] DMARC on srs forwarding domains?
> Am 02.02.24 um 16:08 schrieb Mark E. Jeftovic via mailop: > > We're having a bit of a theological debate internally on whether to > > implement DMARC on our SRS forwarder domains. On 02.02.24 16:26, Kai Bojens via mailop wrote: > Skip SRS and implement ARC for forwarded e-mails. This should solve > all these problems. On Sun, 2024-02-04 at 16:02 +0100, Matus UHLAR - fantomas via mailop wrote: Does anyone blindly trust ARC signatures from random domains? On 05.02.24 01:27, Byunghee HWANG (황병희) via mailop wrote: They(DKIM/ARC) are not distinguishing whether the sender is a good person or a bad person. They only verify that the sender has a legitimate passport. Instead, please use *DNSWL* to determine whether the sender is a good person or a bad person. But, if an ARC signer is bad person, even the ARC signature can lie about original content, and the claimed original sender may be fake (as my example down there shows). So, we need to trust (apply DNSWL) to ARC signer before we can use the ARC signature to apply DNWSL on the original sender. or is there something I misunderstood about ARC? I find it a huge difference between DKIM signatures (I sign this mail being from my domain) and ARC signature (I sign that this mail was received from whitehouse.gov properly verified and signed). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Support bacteria - they're the only culture some people have. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] DMARC on srs forwarding domains?
Ahoj, Dňa Sun, 4 Feb 2024 16:02:31 +0100 Matus UHLAR - fantomas via mailop napísal: > Does anyone blindly trust ARC signatures from random domains? How one can trust that, if one don't know how (or if at all) original was checked? If i will blindly trust to that, i don't need to check SPF, DKIM, DMARC nor ARC at all and save world... > I find it a huge difference between DKIM signatures (I sign this mail > being from my domain) and ARC signature (I sign that this mail was > received from whitehouse.gov properly verified and signed). Yes, DKIM is slightly more reliable, as one sign own mails, ARC signs others/foreign mails... The only one, who is worst to trust (for me) am i, or perhaps partially trust on per-user base, in mean to trust particular ARC signer for particular recipient (user's own forwarded mails), but my environment is not prepared to this. rspamd has allows to define trustworthy ARC signers, but built-in system is on per ARC's domain only, to get it per user, one have to develop something own (IMO not as complicated as it can sound, but i never try that). regards -- Slavko https://www.slavino.sk pgpIUjfv9XZpM.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] DMARC on srs forwarding domains?
It appears that Matus UHLAR - fantomas via mailop said: >>Am 02.02.24 um 16:08 schrieb Mark E. Jeftovic via mailop: >>>We're having a bit of a theological debate internally on whether to >>>implement DMARC on our SRS forwarder domains. > >On 02.02.24 16:26, Kai Bojens via mailop wrote: >>Skip SRS and implement ARC for forwarded e-mails. This should solve >>all these problems. > >Does anyone blindly trust ARC signatures from random domains? No, but we don't blindly trust an SPF pass (SRS or otherwise) either. A credible ARC tells you a lot more than a credible SRS. To return to the oriignal question, I'd put a DMARC p=none on any domain that sends mail with an rua= so you can collect stats and see where your mail is going. R's, John ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] DMARC on srs forwarding domains?
Am 02.02.24 um 16:08 schrieb Mark E. Jeftovic via mailop: We're having a bit of a theological debate internally on whether to implement DMARC on our SRS forwarder domains. On 02.02.24 16:26, Kai Bojens via mailop wrote: Skip SRS and implement ARC for forwarded e-mails. This should solve all these problems. It appears that Matus UHLAR - fantomas via mailop said: Does anyone blindly trust ARC signatures from random domains? On 04.02.24 12:08, John Levine via mailop wrote: No, but we don't blindly trust an SPF pass (SRS or otherwise) either. we don't, but we can at least verify it and look up the domain reputation. A credible ARC tells you a lot more than a credible SRS. That's the point: a credible. Without trusting ARC, you know nothing. Without trusting SPF domain, you know at least something. To return to the oriignal question, I'd put a DMARC p=none on any domain that sends mail with an rua= so you can collect stats and see where your mail is going. To answer the first reply, I recommend not to skip SRS and make it work. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The early bird may get the worm, but the second mouse gets the cheese. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] DMARC on srs forwarding domains?
On 2024-02-04 23:02:31 (+0800), Matus UHLAR - fantomas via mailop wrote: Am 02.02.24 um 16:08 schrieb Mark E. Jeftovic via mailop: We're having a bit of a theological debate internally on whether to implement DMARC on our SRS forwarder domains. On 02.02.24 16:26, Kai Bojens via mailop wrote: Skip SRS and implement ARC for forwarded e-mails. This should solve all these problems. Does anyone blindly trust ARC signatures from random domains? I find it a huge difference between DKIM signatures (I sign this mail being from my domain) and ARC signature (I sign that this mail was received from whitehouse.gov properly verified and signed). We don't blindly trust DKIM signatures either. DKIM is only one signal. In practice, in 2024, forwarding predominantly happens on the final hop before the mailbox. The mailbox provider can see that their users x, y, and z are receiving a lot of email addressed to {x,y,z}@alumni.example.edu, all of it with valid ARC signatures from alumni.example.edu. Given an appropriate sample size, those signatures begin to become trustworthy. Mailbox providers can also provide a user interface for marking ARC domains as trustworthy. Similar to how some mailbox providers allow users to allowlist their forwarders for SPF checks. Of course, the largest mailbox providers will continue to feed the signal into their opaque reputation machinery, so it's anyone's guess what will happen there. Philip ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop