From 9c94d4a6472bb5deeda6fd9f40ec8963f0350698 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Thu, 7 Apr 2022 15:23:45 -0400
Subject: [PATCH] throw ARC in the mix

This was explicitly requested by Riseup and could help with
forwarding. We won't necessarily do it, but it won't hurt us to have
it approved.
---
 policy/tpa-rfc-15-email-services.md | 25 ++++++++++---------------
 1 file changed, 10 insertions(+), 15 deletions(-)

diff --git a/policy/tpa-rfc-15-email-services.md b/policy/tpa-rfc-15-email-services.md
index a6016b33..fef0705b 100644
--- a/policy/tpa-rfc-15-email-services.md
+++ b/policy/tpa-rfc-15-email-services.md
@@ -141,26 +141,14 @@ the submission server for outgoing email, or stop using their
 
 ## Scope
 
-This proposal affects SPF, DKIM, and DMARC record for outgoing mail,
-on all domains managed by TPA, specifically the domain
+This proposal affects SPF, DKIM, DMARC, and possibly ARC record for
+outgoing mail, on all domains managed by TPA, specifically the domain
 `torproject.org` and its subdomains. It explicitly does not cover the
 `torproject.net` domain.
 
 It also affects incoming email delivery on all `torproject.org`
 domains and subdomains.
 
-The [ARC specification](http://arc-spec.org/) is currently considered out of scope,
-considering that the current implementations ([OpenARC][] and
-[Fastmail's authentication milter][]) are not packaged in Debian, and
-no known implementation is.
-
-TODO: apparently OpenDMARC can do this and is packaged. Riseup uses
-this, and us setting ARC records would help Riseup with Riseup -> TPO
--> Riseup forward lists.
-
-[OpenARC]: https://github.com/trusteddomainproject/OpenARC
-[Fastmail's authentication milter]: https://github.com/fastmail/authentication_milter
-
 This proposal doesn't cover offering mailboxes to our users, although
 it is evaluated in a separate section. It wouldn't be deployed as part
 of this proposal in any case, due to time constraints, unless some
@@ -193,12 +181,15 @@ will start to degrade some time or before Q3 2022.
  b. deployment of DMARC reports analysis, probably as a Prometheus
     exporter
 
- c. deployment of outgoing DKIM signatures and DNS records
+ c. deployment of outgoing DKIM and ARC signatures and DNS records
 
     * watch out for [DKIM replay attacks][]
 
     * decide key rotation policy (how frequently, should we [publish
       private keys][])
+    
+    * ARC can help with riseup -> TPO -> riseup forwarding
+      trips, which can be marked as spam by riseup
 
  d. IMAP server deployment and enrolment of all users in the IMAP
     service
@@ -236,6 +227,10 @@ will start to degrade some time or before Q3 2022.
     all servers according to the mail relay server change above, see
     [issue tpo/tpa/team#40626][]
 
+[ARC]: http://arc-spec.org/
+[OpenARC]: https://github.com/trusteddomainproject/OpenARC
+[Fastmail's authentication milter]: https://github.com/fastmail/authentication_milter
+
 [issue tpo/tpa/team#40626]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/40626
 [SRS]: https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme
 [email policy problem]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/40404
-- 
GitLab