Hi, On Fri 21/Feb/2020 17:46:32 +0100 Marisa Clardy via dmarc-discuss wrote: > > In our organization, we provide mail filtering for customers. We had SPF > failures being rejected for a long time, however recently, we implemented > DMARC, and set it so that if a domain has a DMARC policy, it doesn't reject > based on an SPF failure. > > Some of our customers have complained about this, specifically in the cases > where p=none. They say that when p=none, we should still reject SPF failures. > > My manager and I both agree that this isn't the case, based on our > understanding of DMARC.
Let me summarize, to check I understand your problem: You receive a mail from, say, user@domain.example, relay 192.0.2.1 domain.example IN TXT ""v=spf1 +ip4:192.0.2.80 -all", so it fails SPF, but: _dmarc.domain.example IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@domain.example"; According to RFC 7208, SPF reject-on-fail is legitimate: SPF "fail" results can be used to reject messages during the SMTP transaction based on either "MAIL FROM" or "HELO" identity results. This reduces resource requirements for various content-filtering methods and conserves bandwidth since rejection can be done before the SMTP content is transferred. https://tools.ietf.org/html/rfc7208#appendix-G.2 > Either way, even if we reject SPF failures on p=none, we will need to find a > solution that retains DMARC's ability to report. The biggest problem for this > though is we do SPF failures after the RCPT TO command, and have to do it > there, because we have flags that let specific customers turn off SPF > rejection, so it's not like we can just move the SPF rejection to after the > DATA command. That's an interesting question. Let me note the same happens with DNSBL lookups. How about viruses? Usually, DMARC filters operate after DATA, based on SPF and DKIM results, if upstream filters didn't reject already. DNSWL results and local policy can also be considered. It is a question of MTA software capability. Delaying rejection until after DATA seems to be the easiest way. In that case the SPF filter should just record the result. Another possibility would be to retrieve SPF failures from the mail log and somehow inject such data into the aggregate reporting system. Best Ale -- > As such, we were curious about what the greater DMARC community thinks about > this. > > -- > - Marisa > > _______________________________________________ > dmarc-discuss mailing list > dmarc-discuss@dmarc.org > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well terms > (http://www.dmarc.org/note_well.html) > _______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
