Skip to content
Snippets Groups Projects
Verified Commit 9c94d4a6 authored by anarcat's avatar anarcat
Browse files

throw ARC in the mix 

This was explicitly requested by Riseup and could help with
forwarding. We won't necessarily do it, but it won't hurt us to have
it approved.
parent 74516c23
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
policy/tpa-rfc-15-email-services.md
+ 10
15
View file @ 9c94d4a6
......@@ -141,26 +141,14 @@ the submission server for outgoing email, or stop using their
## Scope
This proposal affects SPF, DKIM, and DMARC record for outgoing mail,
on all domains managed by TPA, specifically the domain
This proposal affects SPF, DKIM, DMARC, and possibly ARC record for
outgoing mail, on all domains managed by TPA, specifically the domain
`torproject.org` and its subdomains. It explicitly does not cover the
`torproject.net` domain.
It also affects incoming email delivery on all `torproject.org`
domains and subdomains.
The [ARC specification](http://arc-spec.org/) is currently considered out of scope,
considering that the current implementations ([OpenARC][] and
[Fastmail's authentication milter][]) are not packaged in Debian, and
no known implementation is.
TODO: apparently OpenDMARC can do this and is packaged. Riseup uses
this, and us setting ARC records would help Riseup with Riseup -> TPO
-> Riseup forward lists.
[OpenARC]: https://github.com/trusteddomainproject/OpenARC
[Fastmail's authentication milter]: https://github.com/fastmail/authentication_milter
This proposal doesn't cover offering mailboxes to our users, although
it is evaluated in a separate section. It wouldn't be deployed as part
of this proposal in any case, due to time constraints, unless some
......@@ -193,12 +181,15 @@ will start to degrade some time or before Q3 2022.
b. deployment of DMARC reports analysis, probably as a Prometheus
exporter
c. deployment of outgoing DKIM signatures and DNS records
c. deployment of outgoing DKIM and ARC signatures and DNS records
* watch out for [DKIM replay attacks][]
* decide key rotation policy (how frequently, should we [publish
private keys][])
* ARC can help with riseup -> TPO -> riseup forwarding
trips, which can be marked as spam by riseup
d. IMAP server deployment and enrolment of all users in the IMAP
service
......@@ -236,6 +227,10 @@ will start to degrade some time or before Q3 2022.
all servers according to the mail relay server change above, see
[issue tpo/tpa/team#40626][]
[ARC]: http://arc-spec.org/
[OpenARC]: https://github.com/trusteddomainproject/OpenARC
[Fastmail's authentication milter]: https://github.com/fastmail/authentication_milter
[issue tpo/tpa/team#40626]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/40626
[SRS]: https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme
[email policy problem]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/40404
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment