aspf=s and adkim=s means that the alignment must match down to the subdomain instead of merely sharing the same organizational domain.
If it were aspf=s from: u...@example.com return-path: mail...@bounce.example.com Then DMARC *would not* pass based on SPF. If it were aspf=r (or aspf not specified) from: u...@example.com return-path: mail...@bounce.example.com Then DMARC *would* pass based on SPF. The same goes for DKIM. So in your example DMARC would pass based on DKIM (assuming it passes its authentication check) with either adkim=s or adkim=r because "example.com" exactly matches "example.com." (I'm assuming "exmaple.com" is a typo) In your example DMARC would *not* pass if based only on SPF because SPF didn't pass *its own* check. I think part of the confusion in your example is that "spf=pass/neutral/temperror/permerror/softfail/hardfail" is not DMARC but the SPF check. DMARC requires that SPF (or DKIM) have an "spf=pass" result (or dkim=pass) *and* use the same domain as the from domain. "aspf" and "adkim" *only* refer to the strictness of the domain-matching, *not* the "spf=pass" or "dkim=pass" requirement. In the DMARC aggregate report, you have two different sections where it says if SPF and DKIM "pass" or otherwise. The first section: <policy_evaluated> <disposition>none</disposition> <dkim>pass</dkim> <spf>pass</spf> </policy_evaluated> tells you whether or not DKIM and/or SPF *allowed* DMARC to pass ("pass" means that the authentication in question both passed and used the correct domain) and so will only have "pass" or "fail". The second section: <auth_results> <dkim> <result>pass</result> <domain>example.com</domain> <selector>selector2</selector> </dkim> <spf> <domain>example.com</domain> <result>pass</result> <scope>mfrom</scope> </spf> </auth_results> is the details of each *pre-DMARC* authentication result for your own reference and to help troubleshoot the cause of any DMARC failures, and may say "spf=neutral" and etc as applicable. The final DMARC pass or fail has already been called out in the <policy_evaluated> section, the <auth_results> section is just telling you *why* it passed or failed. In an auto-forwarding case, SPF is typically "replaced" by the forwarder so it would show up as from: u...@example.com return-path: mail...@forwarder.com and DMARC cannot pass based on SPF (DMARC could still pass based on DKIM if DKIM is aligned and not broken by the forwarder). I know that's a lot but it's hopefully helpful. *Zack Aab*, Senior Deliverability Strategist, Inbox Pros, a Trendline Company *O* +1 (470) 875-1823 <+14708751823> On Mon, Sep 28, 2020 at 10:56 AM Blason R via dmarc-discuss < dmarc-discuss@dmarc.org> wrote: > Thanks for the reply - > > So pertaining to my same query; if the message would be aligned in below > scenario? I am still scratching my head :( > > 1 - > aspf=s > adkim=s > > from: u...@exmaple.com > return-path: u...@example.com > d=example.com > spf=neutral > > Or since aspf=s then should be spf=pass? > > What would happen in the auto-forwarding scenario? sine again spf would I > guess break? > > On Sun, Sep 27, 2020 at 3:23 PM Alessandro Vesely via dmarc-discuss < > dmarc-discuss@dmarc.org> wrote: > >> On Sun 27/Sep/2020 09:14:46 +0200 Blason R via dmarc-discuss wrote: >> > Hi Folks, >> > >> > I am starting with DMARC implementation and analysing the XML report >> without >> > any GUI tool just to clear my understanding. Can someone please confirm >> if >> > below marked in *bold* is correct? >> >> >> Yup, it sounds correct. >> >> >> > <policy_published> >> > <domain>example.com</domain> ==> DMARC Policy published by our >> domain example.com; referred by Reporting ORG? >> >> >> Example.org is the domain where the reporting ORG got a DMARC record >> from. >> That is, the From: domain of the messages reported in a given report. >> >> >> > <adkim>r</adkim> >> > <aspf>r</aspf> >> > <p>none</p> >> > <pct>100</pct> >> > <fo>0</fo> >> > </policy_published> >> >> > [...] >> >> > <policy_evaluated> >> > <disposition>none</disposition> *==> Action taken on the mail by >> Reporting Org??* >> >> >> Just how evaluating the policy affected the action. For example, >> consider a >> message which got 15 spam points and was therefore quarantined. That has >> nothing to do with DMARC, so "none" can be correct. >> >> Some say "pass" instead of "none", meaning the same. >> >> >> > <dkim>pass</dkim> >> > <spf>pass</spf> >> >> >> That includes alignment considerations. >> >> >> > </policy_evaluated> *--> What Policy is evaluated* >> >> >> It should be the policy referred as "published" above. Some reporting >> ORGs >> send multiple records in case a sender changes policy during the day, >> collecting the corresponding evaluations. I wouldn't count much on that; >> reports about policy changes should be interpreted with a grain of salt. >> >> >> Best >> Ale >> -- >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> dmarc-discuss mailing list >> dmarc-discuss@dmarc.org >> http://www.dmarc.org/mailman/listinfo/dmarc-discuss >> >> NOTE: Participating in this list means you agree to the DMARC Note Well >> terms (http://www.dmarc.org/note_well.html) > > _______________________________________________ > dmarc-discuss mailing list > dmarc-discuss@dmarc.org > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html)
_______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)