Alessandro Vesely skrev den 2023-04-19 11:09:
Benny is telling the world “ietf.org [1] is authorize to resign on my
behalf” via DNS. No headers required. No delayed learning
necessary.
How would I get a clue of that?
reading books ?
if all maillist did arc on incomming mails before mailman scrapled
dkim then all will be good, only left is dmarc is not in all places
tests arc results
It is all too easy to spoof an ARC chain offering false authentication
results.
ARC chains is untrusted by defaullt, where is the problem ?
Allowing ARC to override DMARC result requires the ARC
signer to be whitelisted.
whitelisted is not right word for it, its either trusted or untrusted
Now, one can object that whitelisting could be done by DKIM, by SPF,
by DNSWL, without the need to introduce a new, long-winded protocol.
However, ARC brings a couple of advantages:
1) In case of multiple forwarding steps, ARC delivers an ordered and
cohesive chain which is easier to verify than a messy mass of DKIM
signatures.
recipients should only care of dmarc, not dkim/arc/spf fails
to make this work dmarc must trust arc
2) Authentication results, which normally are deleted or renamed on
crossing ADMD barriers, can be exported.
well it scramples dkim, no go
As they can sometimes be
checked against message transformation, fraudsters can in the long run
be debunked.
if we keep the problem on maillist we lost all the goods dkim protect, i
dont want this
i still wonder what errors done in rspamd now :/
my dmarc policy is none, but rspamd says its reject, hmm
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
