On Wed 19/Apr/2023 01:13:48 +0200 Benny Pedersen wrote:
Hector Santos skrev den 2023-04-18 20:47:
So your verifier see Benny’s as suspicious because of arc=fail?
it does imho not fail on my own arc ?
My filter attempts to recover DKIM signatures after MLM transformation, but not
ARC chains. Currently, ARC is evaluated but its result don't modify message
worthiness.
Benny is telling the world “ietf.org [1] is authorize to resign on
my behalf” via DNS. No headers required. No delayed learning
necessary.
How would I get a clue of that?
if all maillist did arc on incomming mails before mailman scrapled dkim then
all will be good, only left is dmarc is not in all places tests arc results
It is all too easy to spoof an ARC chain offering false authentication results.
Allowing ARC to override DMARC result requires the ARC signer to be whitelisted.
Now, one can object that whitelisting could be done by DKIM, by SPF, by DNSWL,
without the need to introduce a new, long-winded protocol. However, ARC brings
a couple of advantages:
1) In case of multiple forwarding steps, ARC delivers an ordered and cohesive
chain which is easier to verify than a messy mass of DKIM signatures.
2) Authentication results, which normally are deleted or renamed on crossing
ADMD barriers, can be exported. As they can sometimes be checked against
message transformation, fraudsters can in the long run be debunked.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
