On 1/01/22 12:56 am, Benny Pedersen wrote:
if maillist all did the arc seal/ arc sign, before thay break dkim, then its still possible to verify orginal sender trust, bingo
its just sad nearly all make it worse by dkim sign all forwarded mails, thay miss the dkim private key mostly to do this, no ? :=)
The problem is there is a not insignificant number of recipient MTAs that check SPF/DKIM/DMARC but do not recognize ARC yet. If you rely on ARC signing then these MTAs will likely reject your mail. This means that the only reliable way to pass SPF, DKIM and DMARC if you're forwarding mail is:
Check the inbound SPF, DKIM and DMARC and reject the mail if it doesn't pass.
Other anti-spam measures to try to absolutely minimize the amount of SPAM that you end up forwarding.
Remove any existing DKIM signature that includes the From: or Reply-To: headers or any other header or content that you will be modifying in the message.
Rewrite the From: header to your domain name, add a Reply-To header with the original From: header's content.
Do any other alterations, such as adding list-* headers modifying the Subject: header, etc.
DKIM sign the message from the domain you rewrote the From: header to.
Rewrite the envelope sender to your domain name.
Send out the message.
The above assumes properly implemented SPF, DKIM and DMARC records for your domain.
That is the *only* way you can be fully certain that the forwarded message will pass SPF, DKIM and DMARC checks and therefore have the best chances of being received by the recipient. Anything else relies on implementation specifics of the sender and/or the recipient MTAs which may or may not make that possible.
Peter