On Thu 06/Jul/2023 01:48:28 +0200 Marcello wrote:
Hey there,
I was hoping to run a few questions by the authors of the ARC protocol.
There is an ARC mailing list <[email protected]>. I set it in Reply-To:.
Long story short, I've discovered an email transaction service that always
claims "auth=pass" in it's AAR header, see the following example:
ARC-Authentication-Results: i=1; rspamd-9fcc56855-j2crh;
auth=pass smtp.auth=cloudflare
[email protected]
This is how their AAR header *always* looks like regardless of the senders
domain SPF/DMARC/DKIM record. My questions here are:
1. is "auth=pass" a valid property in the AAR header? RFC 8617 seems to
indicate you can technically put anything you want but all the examples
I've seen are different and actually have SPF/DMARC/DKIM check results.
(e.g. spf=pass etc..)
There is a page collecting the various auth methods defined:
https://www.iana.org/assignments/email-auth/email-auth.xhtml
auth= is defined by RFC 8601 and is related to the SMTP authorization to
(relay) that the message author obtained on sending.
2. Can an ARC chain be considered valid in the case where the first hop (i=1)
has the above AAR header and doesn't actually check SPF/DMARC/DKIM of the
sender domain?
That's a policy decision. It could also just have "none". It is normal to
define SPF/DMARC/DKIM results obtained when the message was received. Recall
that ARC should not be set by the author domain.
3. How should the final Email service provider treat an email with an AAR
header like the above?
Their server, their policy.
4. Should not having SPF/DMARC/DKIM checks in the AAR header result in an
arc=fail?
No.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
