Am Donnerstag, dem 30.12.2021 um 17:07 -0500 schrieb dovecot at ptld.com:> > On 12-30-2021 10:35 am, Felix Zielcke wrote: > > > > But dovecot mailing list uses ARC Headers. > > And they seem to verify for me (using rspamd) > > > I have not fully studied ARC, but from briefly looking isn't ARC just > a way for the sending server to attest to the email it is relaying as > being legit? So if the sending server is a spam server couldn't it > lie and claim the mail is legit? If that is the case I'm not sure > what the point of ARC is, how does it prevent fraud? Its like asking > a liar if they are lying and taking their word for it. And i assumed > this is why ARC never really took off.Spam senders can setup valid SPF + DKIM too. The only difference is a malicous relay could make ARC headers for e.g. microsoft.com even though DKIM didn't pass. So yeah you need more trust with ARC. But I think you can trust the dovecot mailing list server.
On 2021-12-31 08:38, Felix Zielcke wrote:> Spam senders can setup valid SPF + DKIM too.most fail to understand spf helo pass :)> The only difference is a malicous relay could make ARC headers for e.g. > microsoft.com even though DKIM didn't pass. So yeah you need more trust > with ARC.you still would just verify original sender via dmarc validating through dkim,spf,arc chains if maillist all did the arc seal/ arc sign, before thay break dkim, then its still possible to verify orginal sender trust, bingo its just sad nearly all make it worse by dkim sign all forwarded mails, thay miss the dkim private key mostly to do this, no ? :=)> But I think you can trust the dovecot mailing list server.exactly why i started debate on spf helo pass hope all fellows get it why
On 1/01/22 12:56 am, Benny Pedersen wrote:> if maillist all did the arc seal/ arc sign, before thay break dkim, then > its still possible to verify orginal sender trust, bingo > > its just sad nearly all make it worse by dkim sign all forwarded mails, > thay miss the dkim private key mostly to do this, no ? :=)The problem is there is a not insignificant number of recipient MTAs that check SPF/DKIM/DMARC but do not recognize ARC yet. If you rely on ARC signing then these MTAs will likely reject your mail. This means that the only reliable way to pass SPF, DKIM and DMARC if you're forwarding mail is: 1. Check the inbound SPF, DKIM and DMARC and reject the mail if it doesn't pass. 2. Other anti-spam measures to try to absolutely minimize the amount of SPAM that you end up forwarding. 3. Remove any existing DKIM signature that includes the From: or Reply-To: headers or any other header or content that you will be modifying in the message. 4. Rewrite the From: header to your domain name, add a Reply-To header with the original From: header's content. 5. Do any other alterations, such as adding list-* headers modifying the Subject: header, etc. 6. DKIM sign the message from the domain you rewrote the From: header to. 7. Rewrite the envelope sender to your domain name. 8. Send out the message. The above assumes properly implemented SPF, DKIM and DMARC records for your domain. That is the *only* way you can be fully certain that the forwarded message will pass SPF, DKIM and DMARC checks and therefore have the best chances of being received by the recipient. Anything else relies on implementation specifics of the sender and/or the recipient MTAs which may or may not make that possible. Peter