dkim_verifier icon indicating copy to clipboard operation
dkim_verifier copied to clipboard

Published 20 hours ago verified publisher icon lieser

Add support for "ARC Specification for email"

Open ghost opened this issue 7 years ago • 6 comments

I know this is DKIM verifier (that also verifies SPF and DMARC), but there is a new specification to try to solve some of the problems of DKIM called: ARC ( http://arc-spec.org ). At least AOL and GMail already validate ARC headers.

I hope in the future dkim_verifier also verifies the ARC header, that at least gmail that I use is using... if it isn't already.

ghost avatar May 31 '17 15:05 ghost

Yes, this would definitely be a nice addition for the add-on. Unfortunately my time is rather limited at the moment, so don't expect it any time soon.

lieser avatar May 31 '17 20:05 lieser

Thanks! I understand. At least I have made this feature came into your "radar" in the sense that at least I think it would be useful :) Great work anyways!

ghost avatar May 31 '17 22:05 ghost

As @pimlie wrote, it checking for " arc=fail (signature failed);" is enough https://github.com/pimlie/authres_status/issues/27

wioxjk avatar Mar 08 '18 11:03 wioxjk

This issue was more about verifying ARC locally (ARC-Message-Signature, ARC-Seal), not about getting the ARC status from the Authentication-Results.

As I didn't yet know about the possibly added arc=[pass|fail|policy] to Authentication-Results, I had a quick look at the draft today. My conclusion so far is that adding a check for it would not bring much useful information to a user.

That I did see in the draft is, that if ARC passes, the verifier seems to add a dkim=pass with header.i=@<domain of last arc signer> to the Authentication-Results. As reading of the Authentication-Results is optionally supported by the add-on, it can already show this information. See the example B.2.3. Example 2: Message received by Recipient from the RFC (download ARC - B.2.3. Example 2 - Message received by Recipient.txt, rename it to .eml, enable ARH reading in the add-on and open the .eml file with Thunderbird)

lieser avatar Mar 09 '18 23:03 lieser

Just added DKIM Verifier V3.0.1 to Thunderbird V68.2.2 (64-bit) on latest Linux Mint. I received a message without DKIM but the add-on showed the following:

Your RS order confirmation - No20-Stock

The email was:

Your RS order confirmation - No20-Stock.txt

It looks like the add-on is identifying different types of key and treating them as DKIM keys. I had a similar problem with one using ARC. It would be good to have ARC and similar systems implemented, but until you have, ignore anything that's not specifically identified as DKIM.

Am I missing something?

cedricgannet avatar Dec 18 '19 16:12 cedricgannet

@cedricgannet As far as I can tell the error you see has nothing to do with ARC. You have either the DMARC heuristic enabled, or a custom sign rule saying saying that RS-Components.com should be signed (e.g. by the option to automatically add them).

See the following for more info:

  • https://github.com/lieser/dkim_verifier/wiki/FAQ#the-add-on-incorrectly-says-that-en-e-mail-should-be-signed
  • https://github.com/lieser/dkim_verifier/wiki/Options#use-dmarc-to-heuristically-determine-if-an-e-mail-should-be-signed
  • https://github.com/lieser/dkim_verifier/wiki/Options#automatically-add-rules-based-on-viewed-dkim-signed-e-mails

If you still have problems, please create a separate issue for it.

lieser avatar Dec 20 '19 22:12 lieser