Authenticated Received Chain ("ARC") for Virtualmin

This post is about ‘Authenticated Receive Chain’ (“ARC”) and the desirability of including it in Virtualmin. Alternatively, perhaps a clever forum reader has already incorporated OpenARC into Postfix and may be able to offer a ‘How To’ for the more technically challenged among us.
Why it’s needed:
It’s common, in some places, for domain email operators to forward all mail to a free Gmail account. The Gmail account is set up to masquerade as ‘user@domain.com’ instead of ‘gmail-user@gmail.com’. Email clients on PCs and other devices use Gmail’s IMAP and SMTP servers, thus gaining the benefit of Gmail’s malware and spam filtering, without requiring such resources on Virtualmin. Other benefits are being able to set up email clients ‘automagically’ using the true Gmail address and then editing just the owner and email address in the finished setup. As no email is stored on the Virtualmin system, storage needs are reduced and migration, backup and restore operations are speedy and simple. It’s generally recommended to add “_spf.google.com” in the ‘Included domains to allow’ area of ‘DNS Options’ in ‘Server Configuration’ to assist verification.
This worked well for some time but with the increased use of SPF, DMARC etc., there is increasing risk of failed delivery. Some years back, work started on ARC in an effort to preserve the validation of genuine email when the message was forwarded across multiple servers. After some years work, Authenticated Received Chain, or ARC, was published by the IETF as RFC 8617 in July 2019.
Microsoft, Gmail and others have implemented ARC and the OpenARC milter is freely available to those who know how to use it. As the adoption of ARC increases, the systems that are not ARC-compliant will be at a disadvantage and hopefully something can be done so Virtualmin will not remain among them.

Thoughts??

When I google OpenARC, I come up with a github project that hasn’t been updated in five years. Is that what you’re talking about? We obviously can’t depend on unmaintained software.

With a bit more research, I found GitHub - fastmail/authentication_milter: Email Authentication by SPF/DKIM/DMARC etc. which looks promising. The FastMail folks really know mail (and they build most of their OSS libs in Perl, which is comfortable for us).

But, it needs Perl 5.20, so we can’t yet support it, as people are still running CentOS 7 and so we’ll need to maintain compatibility with 5.16 for at least a couple more years.