On Sun 02/Mar/2025 16:55:11 +0100 Tero Kivinen wrote:
Alessandro Vesely writes:
Another problem is that my email filtering do check ARC, but
spamassassin can only validate ARC signatures, I do not think there is
a way to say that it should set SPF/DKIM/DMARC test results based on
the valid ARC signature from trusted source, so I can't really use the
ARC signatures yet.
In the fix-forwarding draft, this is the only software to be developed. A
possible algorithm for verification could be the following:
[ How to verify ARC sealed forwarding is valid omitted ]
This only gives you a half of the solution, i.e., after that you know
that you can trust ARC header and it is valid, but you also need to
use the dkim/dmarc/spf result statements from the ARC header to
augment the dkim/dmarc/spf checks done in locally.
You can reject all failed DMARC except agreed forwards. And when all forwards
are agreed, everyone can set p=reject. I think this is enough to call it
fix-forwarding :-)
Messages that should have been rejected upon receipt but were not are a
nuisance. Usually, you cannot reject mail from a mailing list, to avoid
unsubscribing. However, you can complain to the responsible operator if
messages that they could have automatically rejected were instead accepted and
forwarded.
If local checks for dkim/dmarc/spf fail, but trusted signer valid ARC
says it succeeded at that point, then use the result from the ARC
header when considering authentication of the sender.
For longer ARC chains, determining where the culprit is may become difficult.
Human inspection may be necessary.
Best
Ale
--
_______________________________________________
dmarc mailing list -- dmarc@ietf.org
To unsubscribe send an email to dmarc-le...@ietf.org
