aspf=s and adkim=s means that the alignment must match down to the
subdomain instead of merely sharing the same organizational domain.
If it were
aspf=s
from: u...@example.com
return-path: mail...@bounce.example.com
Then DMARC *would not* pass based on SPF.
If it were
aspf=r (or aspf not specified)
from: u...@example.com
return-path: mail...@bounce.example.com
Then DMARC *would* pass based on SPF.
The same goes for DKIM.
So in your example DMARC would pass based on DKIM (assuming it passes its
authentication check) with either adkim=s or adkim=r because "example.com"
exactly matches "example.com." (I'm assuming "exmaple.com" is a typo)
In your example DMARC would *not* pass if based only on SPF because SPF
didn't pass *its own* check.
I think part of the confusion in your example is that
"spf=pass/neutral/temperror/permerror/softfail/hardfail" is not DMARC but
the SPF check. DMARC requires that SPF (or DKIM) have an "spf=pass" result
(or dkim=pass) *and* use the same domain as the from domain.
"aspf" and "adkim" *only* refer to the strictness of the domain-matching,
*not* the "spf=pass" or "dkim=pass" requirement.
In the DMARC aggregate report, you have two different sections where it
says if SPF and DKIM "pass" or otherwise.
The first section:
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>pass</spf>
</policy_evaluated>
tells you whether or not DKIM and/or SPF *allowed* DMARC to pass ("pass"
means that the authentication in question both passed and used the correct
domain) and so will only have "pass" or "fail".
The second section:
<auth_results>
<dkim>
<result>pass</result>
<domain>example.com</domain>
<selector>selector2</selector>
</dkim>
<spf>
<domain>example.com</domain>
<result>pass</result>
<scope>mfrom</scope>
</spf>
</auth_results>
is the details of each *pre-DMARC* authentication result for your own
reference and to help troubleshoot the cause of any DMARC failures, and may
say "spf=neutral" and etc as applicable.
The final DMARC pass or fail has already been called out in the
<policy_evaluated> section, the <auth_results> section is just telling you
*why* it passed or failed.
In an auto-forwarding case, SPF is typically "replaced" by the forwarder so
it would show up as
from: u...@example.com
return-path: mail...@forwarder.com
and DMARC cannot pass based on SPF (DMARC could still pass based on DKIM if
DKIM is aligned and not broken by the forwarder).
I know that's a lot but it's hopefully helpful.
*Zack Aab*, Senior Deliverability Strategist, Inbox Pros, a Trendline
Company
*O* +1 (470) 875-1823 <+14708751823>
On Mon, Sep 28, 2020 at 10:56 AM Blason R via dmarc-discuss <
dmarc-discuss@dmarc.org> wrote:
> Thanks for the reply -
>
> So pertaining to my same query; if the message would be aligned in below
> scenario? I am still scratching my head :(
>
> 1 -
> aspf=s
> adkim=s
>
> from: u...@exmaple.com
> return-path: u...@example.com
> d=example.com
> spf=neutral
>
> Or since aspf=s then should be spf=pass?
>
> What would happen in the auto-forwarding scenario? sine again spf would I
> guess break?
>
> On Sun, Sep 27, 2020 at 3:23 PM Alessandro Vesely via dmarc-discuss <
> dmarc-discuss@dmarc.org> wrote:
>
>> On Sun 27/Sep/2020 09:14:46 +0200 Blason R via dmarc-discuss wrote:
>> > Hi Folks,
>> >
>> > I am starting with DMARC implementation and analysing the XML report
>> without
>> > any GUI tool just to clear my understanding. Can someone please confirm
>> if
>> > below marked in *bold* is correct?
>>
>>
>> Yup, it sounds correct.
>>
>>
>> > <policy_published>
>> > <domain>example.com</domain> ==> DMARC Policy published by our
>> domain example.com; referred by Reporting ORG?
>>
>>
>> Example.org is the domain where the reporting ORG got a DMARC record
>> from.
>> That is, the From: domain of the messages reported in a given report.
>>
>>
>> > <adkim>r</adkim>
>> > <aspf>r</aspf>
>> > <p>none</p>
>> > <pct>100</pct>
>> > <fo>0</fo>
>> > </policy_published>
>>
>> > [...]
>>
>> > <policy_evaluated>
>> > <disposition>none</disposition> *==> Action taken on the mail by
>> Reporting Org??*
>>
>>
>> Just how evaluating the policy affected the action. For example,
>> consider a
>> message which got 15 spam points and was therefore quarantined. That has
>> nothing to do with DMARC, so "none" can be correct.
>>
>> Some say "pass" instead of "none", meaning the same.
>>
>>
>> > <dkim>pass</dkim>
>> > <spf>pass</spf>
>>
>>
>> That includes alignment considerations.
>>
>>
>> > </policy_evaluated> *--> What Policy is evaluated*
>>
>>
>> It should be the policy referred as "published" above. Some reporting
>> ORGs
>> send multiple records in case a sender changes policy during the day,
>> collecting the corresponding evaluations. I wouldn't count much on that;
>> reports about policy changes should be interpreted with a grain of salt.
>>
>>
>> Best
>> Ale
>> --
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> dmarc-discuss mailing list
>> dmarc-discuss@dmarc.org
>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>
>> NOTE: Participating in this list means you agree to the DMARC Note Well
>> terms (http://www.dmarc.org/note_well.html)
>
> _______________________________________________
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
_______________________________________________
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
