Verified Commit 9c94d4a6 authored by anarcat's avatar anarcat
Browse files

throw ARC in the mix 

This was explicitly requested by Riseup and could help with
forwarding. We won't necessarily do it, but it won't hurt us to have
it approved.
parent 74516c23

policy/tpa-rfc-15-email-services.md

+10 −15
Original line number Diff line number Diff line
@@ -141,26 +141,14 @@ the submission server for outgoing email, or stop using their 


## Scope



This proposal affects SPF, DKIM, and DMARC record for outgoing mail,

on all domains managed by TPA, specifically the domain

This proposal affects SPF, DKIM, DMARC, and possibly ARC record for

outgoing mail, on all domains managed by TPA, specifically the domain

`torproject.org` and its subdomains. It explicitly does not cover the

`torproject.net` domain.



It also affects incoming email delivery on all `torproject.org`

domains and subdomains.



The [ARC specification](http://arc-spec.org/) is currently considered out of scope,

considering that the current implementations ([OpenARC][] and

[Fastmail's authentication milter][]) are not packaged in Debian, and

no known implementation is.



TODO: apparently OpenDMARC can do this and is packaged. Riseup uses

this, and us setting ARC records would help Riseup with Riseup -> TPO

-> Riseup forward lists.



[OpenARC]: https://github.com/trusteddomainproject/OpenARC

[Fastmail's authentication milter]: https://github.com/fastmail/authentication_milter



This proposal doesn't cover offering mailboxes to our users, although

it is evaluated in a separate section. It wouldn't be deployed as part

of this proposal in any case, due to time constraints, unless some
@@ -193,13 +181,16 @@ will start to degrade some time or before Q3 2022. 
 b. deployment of DMARC reports analysis, probably as a Prometheus

    exporter



 c. deployment of outgoing DKIM signatures and DNS records

 c. deployment of outgoing DKIM and ARC signatures and DNS records



    * watch out for [DKIM replay attacks][]



    * decide key rotation policy (how frequently, should we [publish

      private keys][])

    

    * ARC can help with riseup -> TPO -> riseup forwarding

      trips, which can be marked as spam by riseup



 d. IMAP server deployment and enrolment of all users in the IMAP

    service
@@ -236,6 +227,10 @@ will start to degrade some time or before Q3 2022. 
    all servers according to the mail relay server change above, see

    [issue tpo/tpa/team#40626][]



[ARC]: http://arc-spec.org/

[OpenARC]: https://github.com/trusteddomainproject/OpenARC

[Fastmail's authentication milter]: https://github.com/fastmail/authentication_milter



[issue tpo/tpa/team#40626]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/40626

[SRS]: https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme

[email policy problem]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/40404