We have a significant problem with broken ARC chains, and it is caused by
email security providers. I think the only way to get the issue
addressed is to give it visibility, by including an ARC chain verification
option in the DMARC aggregate reports.
Here is the triggering scenario:
Outlook.com client is configured to use a commercial email filter on
outbound messages.
- Client user sends a message to me, via the Outlook.com mail store
server.
- Outlook.com creates an ARC Set before sending the message out of their
environment.
- Outlook.com delivers the message to the email filtering vendor, which
adds a client signature to the message but also breaks prior signatures.
(The nature of the alteration is not perceptible.)
- My inbound gateway checks ARC on every incoming message, amd logs
pass, fail, or none. Because of the client signature, the message passes
DMARC, but because of the changes made at the same time, the final
ARC-Message-Signature fails, and the chain status is Fail.
It appears that the affected vendors include IronPort, ProofPoint,
ForcePoint, and Sophos, among others.
Obviously, the solution is for those email filtering vendors to fix their
chain-breaking code, but before that can happen, they need to get some
complaints. To get some complaints, the problem needs visibility. I
don't know how to change the status quo unless DMARC reports carry the
problem back to the clients of those vendors.
Doug Foster
_______________________________________________
dmarc mailing list -- [email protected]
To unsubscribe send an email to [email protected]
