On Sun 05/May/2024 19:44:57 +0200 Benny Pedersen via mailop wrote:
Andrew C Aitchison via mailop skrev den 2024-05-05 18:49:
On Sat, 4 May 2024, Alessandro Vesely via mailop wrote:
The last URL in the response says something about ARC:
ARC checks the previous authentication status of forwarded messages.
If a forwarded message passes SPF or DKIM authentication, but ARC
shows it previously failed authentication, Gmail treats the message as
unauthenticated.
Isn't it overkill to put both DKIM /and/ ARC if you know the receiver
implements both?
I don't think so.
DKIM proves that you did send it.
ARC proves that you forwarded what you received ?
without trustness ?
An ARC-Signature is very much the same thing as a DKIM signature. They both
prove that a message went through the signing server. Then, ARC additionally
conveys authentication results, which is what makes it suited to forwarding.
ARC-signer/ARC-Sealers have to be trusted, to make any different
Trust is required if you're going to make decisions based on that seal, such as
overriding DMARC policy. In the case at hand, the author domain DKIM signature
was not valid and the DMARC record said p=none, so trust was not needed.
is arc btw ensure tested in dmarc ?, trustness or ?
DMARC adds policy. It requires the From: domain to be aligned with DKIM or SPF.
When you forward you don't rewrite From:, so it's not aligned, and a DKIM
signature wouldn't help getting a dmarc=pass. There's no requirement that
ARC's d= be aligned with anything. (Should forwarders rewrite the bounce address?)
The question is, since Gmail seems to require a DKIM signature just to make
sure some domain is responsible for the message, doesn't an ARC seal cover the
same requirement?
Best
Ale
--
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
