Re: [dmarc-discuss] exegesis: pass and fail together

2016-07-07 Thread Elizabeth Zwicky via dmarc-discuss 

I meant to say that the spec is unclear about what you do about **reporting** 
multiple DKIM results. It's perfectly clear on how to evaluate them.
Elizabeth

On Thursday, July 7, 2016 9:32 AM, Elizabeth Zwicky via dmarc-discuss 
 wrote:
 

 
SPF can pass without being a relevant pass for DMARC; DMARC requires it not 
only to pass but also to align with From:. As Alessandro pointed out, your 
DMARC record specifically prevents a lists.openlib.org SPF pass from being an 
openlib.org DMARC SPF pass.

And yes, it's entirely possible for a message to have 2 or more DKIM 
signatures, including signatures for the same domain with different results. As 
long as there exists a DKIM signature that is aligned and passes, the DMARC 
DKIM result is pass. (As I recall, the spec is unclear about what you do if 
there are multiple DKIM results. That should probably be fixed and it would be 
nice if we allowed the selector to be reported as well.)

Elizabeth

On Tuesday, July 5, 2016 12:54 AM, Thomas Krichel via dmarc-discuss 
 wrote:
 

 
  Hi gang,

  I am new to DMARC. Google have sent me a report that I attach.
  I am puzzled by what I am reading. About DKIM


  openlib.org
  pass


  openlib.org
  fail


  How can it fail and pass at the same time?
  Then about SPF


 
 2a01:4f8:190:62e8::68
 7
 
  none
  pass
  fail
 
 
  
  openlib.org
  
  

  ...
  
  
  lists.openlib.org
  pass
  



  How can it say that the SPF fails in the policy evaluated,
  but later say it passes. Could this be me posting to a mailing
  list, with the from: saying kric...@openlib.org, but forwarded
  by lists.openlib.org? 2a01:4f8:190:62e8::68 is SPF authorized to
  send mail for both lists.openlib.org and openlib.org, so this
  would still be puzzling. 

-- 

  Cheers,

  Thomas Krichel                  http://openlib.org/home/krichel
                                              skype:thomaskrichel

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

   
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

  ___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] exegesis: pass and fail together

2016-07-07 Thread Roland Turner via dmarc-discuss 
Hi Thomas,

It's not immediately clear from your edits whether the results that you are 
showing are from the same  of the DMARC report; my guess is that they're 
not. Assuming that my guess is correct: it's worth bearing in mind that a DMARC 
aggregate report is just that: a report aggregating information about all of 
the email messages that the Receiver has seen purporting to be from your 
organisation during the report period (almost always 24 hours). To keep things 
at a reasonable size, the report groups message reports that have identical 
dispositions etc. into a single  with a , instead of providing a 
row per message. When interpreting the report, it is important to view each 
 as though it were a completely separate report from the same Receiver.

The other thing that occasionally creates confusion is the difference between:

- the authentication results (whether a particular authentication evaluation 
returned true or false at the SPF/DKIM level), and
- the effective authentication result when evaluating policy (a pass for an 
unrelated domain will be treated as a fail for DMARC evaluation purposes; 
similarly parent vs. child domains if you're using different policies for 
sub-domains).

- Roland

--
From: dmarc-discuss  on behalf of Thomas 
Krichel via dmarc-discuss 
Sent: Tuesday, 5 July 2016 15:41
To: DMARC-discuss
Subject: [dmarc-discuss] exegesis: pass and fail together
    

  Hi gang,

  I am new to DMARC. Google have sent me a report that I attach.
  I am puzzled by what I am reading. About DKIM


  openlib.org
  pass


  openlib.org
  fail


  How can it fail and pass at the same time?
  Then about SPF


 
 2a01:4f8:190:62e8::68
 7
 
  none
  pass
  fail
 
 
  
  openlib.org
  
  

  ...
  
  
   lists.openlib.org
   pass
  



  How can it say that the SPF fails in the policy evaluated,
  but later say it passes. Could this be me posting to a mailing
  list, with the from: saying kric...@openlib.org, but forwarded
  by lists.openlib.org? 2a01:4f8:190:62e8::68 is SPF authorized to
  send mail for both lists.openlib.org and openlib.org, so this
  would still be puzzling. 

-- 

  Cheers,

  Thomas Krichel  http://openlib.org/home/krichel
  skype:thomaskrichel

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)