On Mon, Jun 20, 2022 at 11:41 AM Paulo Pinto via mailop <[email protected]> wrote: > > >ARC is motivated by the cases where DKIM/SPF/DMARC information about the > >author/originator get broken. > > I'm truly trying to find a justification to break DKIM/SPF on a message after > it is sent.
I don't know why people do it, but what I see is people want to run multiple email spam filters or security services or tools. Like, their domain's MX points to Proofpoint, then Proofpoint forwards that mail on to Google for Business. That second step results in Google checking SPF results (as it would typically do) but those fail because it is not the edge server any longer. A use case that this potentially helps solve. <- My prior employer was configured this way and it was very annoying to see SPF fail in header results and have to explain this to people constantly that it was an inbound configuration choice, not an indication of failure. > SPF -> You should be aware of all the servers that can be involved in the > message transaction so no excuse to not have them reflected in the SPF record SPF is a last hop methodology. Forwarding adds hops that are outside of your control. It'd be bad to just add random forwarding IPs to your SPF record. > DKIM -> The message should only be signed after it is complete and leaving > your controlled environment. Any modification to the message afterwards is > tampering and should not happen. But it does happen, sometimes intentionally, sometimes not. I didn't really "get" ARC when it comes to mailing lists, there seems to be little point, as I felt that most people already dealt with mailing lists under DMARC via header rewriting. ARC for enterprise email security chaining, though, I think that use case makes sense to me. I personally wouldn't configure things this way, but people do it, so it is good that there is a way to handle "passing authentication results forward," if you wish to trust the prior hop's ARC results. Cheers, Al Iverson _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
