Alessandro Vesely writes: > > Another problem is that my email filtering do check ARC, but > > spamassassin can only validate ARC signatures, I do not think there is > > a way to say that it should set SPF/DKIM/DMARC test results based on > > the valid ARC signature from trusted source, so I can't really use the > > ARC signatures yet. > > > In the fix-forwarding draft, this is the only software to be developed. A > possible algorithm for verification could be the following: > > > 1) Find "list-id" in the List-Id: header field (which should be unique). > > 2) Find the domain (d=) in the top ARC-Seal: header field (the one with the > highest i=). > > 3) Verify that the final part of list-id matches the sealing domain. > > 4) For each recipient, verify that the <recipient, list-id> pair is in the > list > of active agreements. > > Not a big task, right? This is the only software required, as managing the > list > of active agreements could be done manually, using a text editor. Oh well, > there is also a web form to set up, which should not necessarily require > software development. Of course, large companies would automate much more. > The > point is that even home-grown mail sites can adopt fix-forwarding without any > problems.
This only gives you a half of the solution, i.e., after that you know that you can trust ARC header and it is valid, but you also need to use the dkim/dmarc/spf result statements from the ARC header to augment the dkim/dmarc/spf checks done in locally. If local checksfor dkim/dmarc/spf fail, but trusted signer valid ARC says it succeeded at that point, then use the result from the ARC header when considering authentication of the sender. -- [email protected] _______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
