On Tue 03/Feb/2026 20:54:03 +0100 John R. Levine wrote:
On Tue, 3 Feb 2026, Jeroen Massar wrote:
As a side-note in the above codebase, when a message is received with a
DKIM header, we replace the original "From: [email protected]" with "From:
jeroen=massar.ch@via.<domain>", then DKIM sign it ...>
Yes, IETF lists including this one do a similar hack based on one I did for my
sympa lists a quite a while ago. One of the goals of DKIM2 is to let mailing
lists stop using that ugly hack and just describe the changes they wanted to
make so recipients can look back and see the original DMARC alignment, i.e.,
what we hoped ARC would do but in fact it doesn't.
The (subtle) difference lies in the kind of trust the receiver must place in
the signer. The intended use of ARC required blind trust, whereas DKIM2 can
reconstruct the original message and verify the author's domain signature, so
it only needs to trust that the changes made by the forwarder are semantically
correct.
Global trust is slippery, because spammers can take legitimate posts, wholly
replace their content, while duly compiling the difference and signing. How do
we know that DKIM2 won't fail for the same reasons ARC failed?
In the meantime, what's wrong if those who have already developed ARC learn to
use it in a different way, namely just to export authentication results?
Best
Ale
--
_______________________________________________
dmarc mailing list -- [email protected]
To unsubscribe send an email to [email protected]
