On Thu, Aug 19, 2021 at 10:49:05PM +0000, k...@linuxdeveloper.xyz wrote: > Experts, > > I met a strange issue about DMARC validation at google groups. > Since it requires some pics to make a more clear statement, I wrote the > question on blog: > https://blog.hoxblue.com/why-this-dmarc-pass-by-google/ > > Can you help to explain my question? Thank you very much. > > regards. > Ken
Hi Ken, Warning: This is just a theory, but it's the only reasonable one I could think of. Google is aware of the fragility of SPF/DKIM/DMARC when it comes to mailing lists, which is why they use ARC: Authenticated Received Chain (ARC) Protocol https://tools.ietf.org/html/rfc8617 (Experimental) ARC is a way for remailers to add an authenticated chain of custody to an email, where they check SPF/DKIM/DMARC when they receive the original email, and then attest that each check passed or failed at that time, and then they provide a DKIM-like signature to prove that it was really them that made the attestation. If you look in the headers of a googlemail email, you'll see these headers: ARC-Seal ARC-Message-Signature ARC-Authentication-Results There can be a set of these three headers for every ARC-enabled remailer along the path. The googlegroups email that I receive tends to have two sets, both added as the mail passes between various google servers. The ARC-Authentication-Results header contains the SPF/DKIM/DMARC check results for the original mail, and this gets copied up through the chain. The other two headers in each set enable the receiver to check the authenticity of its contents. Gmail is probably checking the ARC chain and seeing that DMARC was valid when googlegroups received the original email, and that's what gmail is reporting to you as a DMARC pass. I'm not sure how much ARC is used. From my tiny personal sample set, it's almost all Google and Microsoft. So maybe that's a lot. And who checks it? It's hard to tell. If gmail checks ARC but doesn't mention it by name, perhaps other mail providers are doing that too. There is a milter for it called OpenARC, written by the same group that wrote OpenDKIM and OpenDMARC, but it seems to have been abandoned two years ago when it was still in beta stage. And it doesn't get a mention in the postfix setup tutorials that I've come across. I can find people asking how to set it up, but not so much in the way of satisfactory answers. Without something like OpenARC, OpenDMARC is going to produce lots of false positives because it doesn't know to defer to ARC checking in the presence of ARC headers. cheers, raf
