[dmarc-discuss] A bit quiet?

Roland Turner roland.turner at trustsphere.com
Mon Oct 26 23:11:59 PDT 2015


Scott Kitterman wrote:

>> On October 26, 2015 9:12:17 AM EDT, Roland Turner via dmarc-discuss <dmarc-discuss at dmarc.org> wrote:
>>Scott Kitterman wrote:
> ...
> snipped down to one bit as we seem to mostly be going around in circles
> ...
>>> As a domain owner, I can control what sources of mail are able to
>>> generate mail that passes SPF or has a valid DKIM signature with d=
>>my
>>> domain.  Anyone, anywhere can generate an ARC stamp with my domain in
>>it,
>>> so it's completely different.
>>
>>No, they can't.
>>
>>(More accurately, like a DKIM signature, anyone can create one, but it
>>won't validate unless they've also gotten their hands on one of your
>>private keys.)
>
> Who adds the ARC stamp? Perhaps I read it wrong, but I read it as
> being added by the intermediary and not the originator (previous hop).

Any participating forwarder can add an ARC signature. Of necessity they sign
it with their own domain (as for DKIM, the rule for locating the public key remains
to query the DNS for a TXT record at {s}._domainkey.{d}) and, therefore, take
responsibility for the change. (You stated "generate an ARC stamp with my
domain in it", which is what I was rebutting.)

Note also that:

- The originator is at the beginning of the first hop, not necessarily
the immediately previous hop.

- Situations also arise in which multiple modifying forwarders are involved,
for example someone has a list subscription pointing to a long-term email
address that in turn forwards elsewhere but adds a footer while doing so.
A surprising fraction of my own posts to mailing lists experience this (not
only does DMARC fail, but e.g. the DKIM signature attached by Google Groups
fails too).

> If I read it right, anyone can create an ARC stamp claiming to have received
> authenticate (e.g. DKIM signed) mail from my domain.  Am I reading it wrong?

Indeed, anyone can claim anything. Forwarders making false claims of this type
aren't going to be trusted for very long.

- Roland


More information about the dmarc-discuss mailing list