ARC doesn't solve the problem either, because ARC requires trust to be established between all signers in the chain and receiver of the mesage. ARC doesn't provide any means to establish this trust. In short: ARC will only work with the whitelist of known forwarders and it doesn't contain any means to redistribute or update this whitelist. It's intended product like OpenARC to be destributed with the whitelist of known forwarders preloaded.
It's quite sad people misunderstand this fact and believe ARC can replace DMARC. It can not. ARC doesn't work without DMARC, because ARC only ads whitelist and tracking functionality to DMARC. Currently, we have whitelists based on DKIM signatures / IP addresses of known forwarders, so the profit from ARC is close to zero. It allows to distinguish between forwarded and locally generated message and is helpful in the case message is forwarded for multiple times. That's all. P.S. Benoit provided the original message - it was a spam message with the fake address, so it had no DKIM authentication. Forwarding message like that with SRS to GMail gives negative reputation for both forwarding IP and authorizing domain (one used for SRS). DMARC filter on forwarding server could eliminate this problem. No problems are expected for real message with DKIM authentication in current configuration. 02.11.2017 17:12, Ken O'Driscoll пишет: > On Thu, 2017-11-02 at 13:28 +0100, Benoit Panizzon wrote: >> How would one correctly implement email forwarding which works with all >> kind of SPF, DKIM and DMARC Variants? > Hi Benoit, > > Short answer - you can't. DMARC is simply not designed to facilitate any > type of address re-writing or forwarding. > > As Vladimir points out, DKIM can sometimes prevail after an email is > forwarded, but it can't be assumed. Plus, that DKIM signature must be > already working and aligned to the original sending domain. > > DMARC also breaks mailing lists. Mailman "gets around" DMARC by re-writing > the From address to be that of the list and putting the original sender in > the Reply-To. Fine for mailing lists, not so fine for one-to-one emails > etc. > > There is an emerging mechanism called ARC (http://arc-spec.org/) which > addresses this restriction in DMARC to some degree in certain cases. Many > providers, including Google, are already trialing ARC and it is being > actively worked on. > > Ken. > > -- > Ken O'Driscoll / We Monitor Email > t: +353 1 254 9400 | w: www.wemonitoremail.com > > Need to understand deliverability? Now there's a book: > www.wemonitoremail.com/book > > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop -- Vladimir Dubrovin @Mail.Ru _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
