Jens Hoffrichter via Postfix-users wrote in
<CAFPt6W_xnY48aX5ocqGuwuSVvvOj2dksRoFc=2mv1X=g9lz...@mail.gmail.com>:
|On Mon, Oct 30, 2023 at 8:12 PM Steffen Nurpmeso via Postfix-users
|<[email protected]> wrote:
...
|> Btw i would wonder: why do -- as email operators -- still use DKIM
|> at all, since there is ARC and it also offers signatures and
|> verification? The OpenSSL (-users) ML uses it, and it only.
...
|Because Google / Gmail / Google Workspace will put out DKIM
|requirements for every email from bulk senders from Feb 1st - not ARC
|requirements. From what I understand, DMARC alignment only happens on
|SPF and DKIM alignment, not on ARC alignment - and because of that,
|DKIM is relevant for us.
On 01.11.23 03:15, Steffen Nurpmeso via Postfix-users wrote:
I did not know that. I had the impression Google pushes ARC. But
i never find anything in their help (and stopped pressing buttons
for "was this page helpful"), nor have i ever heard such.
ARC is third-party signature basically saying that
"DMARC was okay when we receive this e-mail".
You must configure trust to the concrete ARC signers, as you cannot simply
trust mail from random domain saying "this mail from gmail.com was okay when
we received it", as creating ARC signatures with fake original content is
easy.
with DKIM, everyone signs their own mail, so this 3rd-party trust issue does
not appear.
I myself have deepest respect for the engineering of SPF (the RFC
that is), but do not understand it regarding email flow, you have
to run postsrsd to make this work if you have redirecting aliases,
When you forward mail from gmail.com to us, keeping original envelope sender
e.g. [email protected], we only see mail claiming be from gmail, but
originating your server, which means the sender may be forged.
SPF is here to block this e-mail, and SRS is one of techniques to rewrite
envelope sender to your domain, while keeping enough of intormation for you
to later see that the mail indeed was forwardd through your server, if the
forward fails.
You of course can set your sender to anything in your domain, but with
setting sender to the original recipient, which may seem reasonable
(setting sender to the user who wishes to forward their e-mail to gmail)
you risk creating forwarding loop to
- each mail to that user gets forwarded to non-existent address, bounce is
generated which is again forwarded to non-existent address...
(and some servers or software don't create bounces with empty from).
and in the end i myself do not care at all how the mail is hopping
if only it is delivered to the right place. Especially so if the
email is DKIM signed and/or S/MIME aka PGP signed/encrypted.
And DMARC i truly hate. :)
Well i keep on hoping that DKIM is fixed to work also for MLs
without robot trouble (user interfaces are the other thing), it
would be all i need.
DKIM cryptographically signs the e-mail body and headers, so everyone can
verify if it really came from the domain in header From:.
Mailing lists that modify signed heaers or body of mail by e.g. adding list
signature to Subject: or body, invalidate this signature.
One of solutions is to forward the original signed message intact as
attachment, other is to change From: and DKIM-sign the new message with domain in
mailing list From:, so the new DKIM signature is correct.
DMARC on domain simply configures, that all mail from that domain passes
DKIM ot SPF check from that domain, and what to do with mail that does not
pass either.
(once more: DKIM applies on header From:, SPF on envelope from:).
--
Matus UHLAR - fantomas, [email protected] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
99 percent of lawyers give the rest a bad name.
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
