Three concrete use-cases where ARC is helpful: 1) SPF Downgrade <https://www.valimail.com/blog/how-an-spf-upgrade-attack-spoofed-googles-blue-checkmark/>. We didn't reach consensus for adding auth= tag to DMARC and so SPF Upgrade remains a significant vulnerability for achieving a DMARC pass. Having the ARC headers allows us to detect that this has occurred and respond appropriately (reject/spam-folder the message or just downgrade the authentication state in our system). 2) Excluding indirect mail flows from parts of Sender Requirements <https://blog.google/products/gmail/gmail-security-authentication-spam-protection/> / NoAuthNoEntry. Having the ARC headers and a safe way to consistently identify the indirect flow in a non-spoofable way allows us to not apply requirements that don't make sense for forwarded mail (e.g. requiring SPF or DMARC alignment) 3) Local policy for DMARC failures. For example, downgrading p=reject to p=quarantine if ARC headers indicating indirect mail and previous alignment are present.
On Tue, Apr 2, 2024 at 6:37 AM Murray S. Kucherawy <[email protected]> wrote: > Hi Emanuel, > > On Tue, Apr 2, 2024 at 1:02 AM Emanuel Schorsch <[email protected]> > wrote: > >> Just to chime in, Gmail is using ARC and it has already provided a large >> amount of value for the indirect flow problem. Especially, since other >> major providers and a number of forwarders are adding ARC headers that >> provide us useful visibility into the previous hops and allow us to make >> more intelligent decisions. I can share that a number of escalations for >> problems that arose out of indirect flows have been resolved by use of ARC >> headers. >> > > Can you give an example, even if only a hypothetical one? > > I would love to hear more detail than "Yes, it provides value." How, > exactly? And have any other operators found the same? > > -MSK, p11g >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
