Hi guys, Aki,

Thanks for clearing this issue which did puzzle me as well yet, not as much as Aki ARC point, I wondered what did you mean by " We did that replacement for a while, but people complained. We have ARC signing there, unfortunately it only works if you trust it. "?

If I integrate ARC handling will it allow Dovecot mailing list to authenticate the received via chain header and thus false positivd spoofing occurrence is mitigated by having the authentic validated sender IP and host name preserved and can be verified? It seems DMARC record its validated against Received header and not ARC seal header i.e. dmarc will fail at some point even If I pass ARC?

Also, ptld question about ARC purpose, and to understand it, you can look at Received header, which cant be manipulated by MITM attacks since its generated after the mail server has fully received the email, and tells via which channel the email was sent and received, and includes authentic thus verified information such as which transport protocol of SMTP or SMTPS and SMTPSA was used along host name, ip address, email id, tls/ssl connection protocol, cipher, bits as well as from email address and think of ARC as its derivative security enhancement which stands for Authenticated Received Chain, and it basically offers the chance for recipient mail servers to verify and authenticate if the email is transported from the real one or several mail servers, where each mail server sign with unique signature the authenticated received header at every received instance form the authenticated chain validity, that generates it in ARC seal header which can be used to verify using Received header information against in the subsequent recipient mail server until it reaches its final destiny rest assured as was not manipulated in its journey whatsoever, which can happen if we rely on only Received header since it indicates only the validity of last sending mail server and doesnt tell anything about if there are any other used in transit which ARC seal does, and notice at only an unequivocal condition ARC proves its effectiveness once all mail servers which the germane email was transported to and from have ARC integration to handle generating and verifying the seal at every recipient instance.

Looking forward for further clarification, with thanks.

Zakaria.


On 11 Feb 2022 11:29, Lev Serebryakov <lev@serebryakov.spb.ru> wrote:

On 09.02.2022 16:33, Aki Tuomi wrote:

  I'm participating in ~20 mailing lists and only this one gives a storm of DMARC reports on each my posting.

  Problem is, I need to unpack each of them to be sure, that these are false positives and I'm afraid, that it could lower reputation of my mail server IP address with major providers (like Google Mail).

> We did that replacement for a while, but people complained. We have ARC signing there, unfortunately it only works if you trust it.
>
> Aki
>
>> On 04/02/2022 23:10 Sebastian Nielsen <sebastian@sebbe.eu> wrote:
>>
>>  
>> I get it too. These appear because they don't replace either MAIL FROM: or Mime From: with the list address. This causes validations to fail since the mailing list is trying to spoof mail in your name, and of course, anti-spoofing security is going to react. DKIM can be troublesome since mailing lists sometimes change or reencode content so DKIM signature fails.
>>
>> -----Ursprungligt meddelande-----
>> Från: dovecot-bounces@dovecot.org <dovecot-bounces@dovecot.org> För Lev Serebryakov
>> Skickat: den 4 februari 2022 21:58
>> Till: dovecot@dovecot.org
>> Ämne: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
>>
>>
>>    My domain (serebrtyajov.spb.ru) has all these "new" e-mail technologies configured. It works fine till I write to this mailing list.
>>
>>    After that I've got several DMARC reports about "spam" from my domain. All these reports are about my mailing list post.
>>
>>    I don't have such problems with other mailing lists (FreeBSD ones, OpenJDK ones, and others).
>>
>>    Looks like mailing list software for this mailing list is misconfigured.
>>
>>    I'm sure, I'll get new after this message.
>>
>> --
>> // Black Lion AKA Lev Serebryakov


--
// Black Lion AKA Lev Serebryakov