Rob's web

ARC

Authenticated Received Chain (ARC) is an email authentication system designed to allow an intermediate mail server like a mailing list or forwarding service to sign an email's original authentication results. This allows a receiving service to validate an email when the email's SPF and DKIM records are rendered invalid by an intermediate server's processing.

ARC complements SPF, DKIM and DMARC by preserving and validating authentication status as an email passes through intermediary mail servers.

Here's a quick rundown of how the original protocols work:

But DMARC assumes emails travel directly from sender to recipient. When a message is forwarded or sent via a mailing list, legitimate modifications often cause DKIM and SPF checks to fail - and therefore DMARC fails too.

ARC provides a workaround, allowing receivers to authenticate emails even if DKIM/SPF fail due to forwarding.

Installation

# dnf install openarc

Configuration

The main configuration file for the signing service is /etc/openarc/openarc.conf.

# cd /etc/openarc/
# mkdir keys
# opendkim-genkey -D /etc/openarc/keys -r -s mail -d example.com
# chown -R openarc:openarc keys/

Starting

# systemctl start openarc
# systemctl enable openarc

Linking arc to postfix

Openarc must be running before we can link it in postfix.

Now you just need to add the OpenARC socket so that Postfix can talk to OpenARC. Make sure it's after the OpenDMARC.

# cd /etc/postfix
# vi main.cf

# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893, unix:/run/openarc/openarc.sock
non_smtpd_milters = $smtpd_milters

# postfix check
# systemctl restart postfix

Links