On 1/01/22 9:57 pm, Benny Pedersen wrote:
its basicly just statistik you say above
You seem to think you can just ARC sign the message and everything will be rosy. This is not the case, ARC needs to be implemented on the receiver side or it will be completely ignored. It will takes yeras for it to be widely adopted.
1. Check the inbound SPF, DKIM and DMARC and reject the mail if it doesn't pass.
check spf helo, spf mfrom, check dkim, check arc in that order, but do not reject, current its only meta data collected to dmarc policy with can reject if sender wants it rejected, but this should relly not be rejected if its arc-signed / arc-sealed, this indicate a maillist where reject is not best way to solve spamming
Sure check for ARC as well. The point is to reject anything that might be SPAM because you are going to be DKIM signing it yourself and you don't want to be forwarding SPAM.
2. Other anti-spam measures to try to absolutely minimize the amount of SPAM that you end up forwarding.
its possible to unsubscribe
So you expect a spammer to unsubscribe?
makes things worse makes things worse
And yet as I said, it's the only way to guarantee that the message will pass on the recipient side. ARC won't do that. I didn't say it was a great solution, I said it's the *only* solution.
5. Do any other alterations, such as adding list-* headers modifying the Subject: header, etc.
does not break dkim when adding new headers, but change signed headers does
Wrong. Adding headers *can* break dkim. This is because the lack of headers or NULL headers can be signed.
6. DKIM sign the message from the domain you rewrote the From: header to.
perfect forged mail can be tested in dkim adsp
Which is why you check the original signature and reject if it doesn't pass.
7. Rewrite the envelope sender to your domain name.
normal for maillists, does not break spf specs
It's something that you have to explicitly tell your MTA to do, and it certainly wasn't "normal" before SPF was a thing.
8. Send out the message.
and hope for no spf helo, spf pass if its spam :)
Again, why you try to reject SPAM to begin with.
The above assumes properly implemented SPF, DKIM and DMARC records for your domain.
define properly
I'm not going to go into that level of detail here. There are many many resources on the internet which can tell you how to set up these thigns properly.
That is the *only* way you can be fully certain that the forwarded message will pass SPF, DKIM and DMARC checks and therefore have the best chances of being received by the recipient. Anything else relies on implementation specifics of the sender and/or the recipient MTAs which may or may not make that possible.
you need more meta data on diffrent maillists if you write this above
Nope, this has nothing to do with the mail list. This has to do with different practices of the sending MTA and recipient MTA. The mail list sits in-between the two and must reconcile with various different policies of the sender (which can be determined) and how the recipient will check those policies (which generally cannot be determined).
we are OFF Topic, take debate offline from maillist
By all means. Just stop trying to claim that ARC will solve all the problems, it won't. I realize that mailing lists likely do not want to implement all of the above steps, but ARC is not a magic bullet that can fix the issues shown, there is no magic bullet and so you either accept that a number of messages will, depending on circumstances, not make it to the recipient, or you take drastic measures to resign everything so that the recipient MTA is happy.
Peter