infra icon indicating copy to clipboard operation
infra copied to clipboard
verified publisher icon NixOS

mailserver: Enable ARC signing

Open mweinelt opened this issue 11 months ago • 6 comments

Works similarly to DKIM and uses the same keys. Went for a 2048 bit RSA key for compat reasons. Larger ones are probably too large to put them into DNS.

Untested.

mweinelt avatar Apr 11 '25 00:04 mweinelt

Is ARC generally applicable for SNM users? Or is it really only useful if you're operating mailing lists and forwarding emails onto other domains? If it's generally applicable, I'd like to submit these instructions to the SNM setup guide.

Google and iCloud require it for bulk senders. Proposed in https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/376.

mweinelt avatar Apr 13 '25 16:04 mweinelt

Discussed at today's infra meeting: @jfly to test this on his personal mailserver and then deploy this if all looks good

jfly avatar May 01 '25 16:05 jfly

@mweinelt, I deployed a version of this to my personal mailserver and while it didn't break anything, I couldn't find any evidence of this doing anything. Emails I sent directly as a SMTP-authenticated user, and emails I relay through it all don't show any ARC related headers when they land in my personal gmail. I also don't see anything showing up in rspamd logs.

jfly avatar May 08 '25 23:05 jfly

@Mic92 also has this configured, can you give that a try?

      allow_username_mismatch = true;

We have that for DKIM in nixos-mailserver as well.

mweinelt avatar May 08 '25 23:05 mweinelt

I will try when I'm back at a computer!

jfly avatar May 09 '25 01:05 jfly

Adding allow_username_mismatch = true; doesn't see to have made a difference. I've been banging my head against this unproductively for too long. I'm not sure I'll have time to look at this again until next week, sorry!

jfly avatar May 09 '25 07:05 jfly