I think with the new version, DMARC alignment checks are still implemented wrong:
Now I get a DMARC fail, when there is a SPF entry that aligns and no DKIM signature.
The way i read the specification (and the way the dmarc module produces results) is: Either SPF or DKIM has to align, then the Test passes.
The dmarc module even passes the check if for example SPF passes and aligns and dkim fails. But I'm not 100% sure if thats the correct way.
From: https://tools.ietf.org/html/rfc7489#section-6.6.2
5. Conduct Identifier Alignment checks. With authentication checks
and policy discovery performed, the Mail Receiver checks to see
if Authenticated Identifiers fall into alignment as described in
Section 3. If one or more of the Authenticated Identifiers align
with the RFC5322.From domain, the message is considered to pass
the DMARC mechanism check...
... DMARC evaluation can only yield a "pass" result after one of the underlying authentication mechanisms passes for an aligned identifier......Final disposition of a message is always a matter of local policy. An operator that wishes to favor DMARC policy over SPF policy, for example, will disregard the SPF policy, since enacting an SPF-determined rejection prevents evaluation of DKIM; DKIM might otherwise pass, satisfying the DMARC evaluation....Gesendet: Mittwoch, 03. Oktober 2018 um 11:30 Uhr
Von: "Thomas Eckardt" <thomas.ecka...@thockar.com>
An: "ASSP development mailing list" <assp-test@lists.sourceforge.net>
Betreff: Re: [Assp-test] DMARC Alignment>Does ASSP actually check alignment when using DMARC?
Currently only fo 'adkim'. The 'aspf' alignment check will be implemented in a later release.
>There also exists a DMARC module for perl. One could probably use that (we're already using modules for DKIM and SPF, so why not)._______________________________________________
DMARC is implemented in ASSP V2 since 2012, the first trial version of Mail::DMARC was published in 2013.
I don't have the time to rewrite the complete ASSP DMARC code only to use this module and maybe to have some small improvements (e.g. send reports using http).
At the end, using this module would be problematic because it is unable to adopt authentication results from ARC-signatures and other authentication headers.
Thomas
Von: fr...@web.de
An: assp-test@lists.sourceforge.net
Datum: 02.10.2018 12:34
Betreff: [Assp-test] DMARC Alignment
Does ASSP actually check alignment when using DMARC?
I've sent a mail through ASSP with an obvious fake header "From:". The (header) domain has a DMARC entry, ASSP reports "DMARC pass".
If this was checked like the specification asks us to, it should not pass.
I've looked inside the code shortly and did not find anything that points in the direction of alignment checking.
Is this a desired behaviour so we don't get too many false positives? If that's the case I think it would be nice to have an option for the user to enable alignment checks.
There also exists a DMARC module for perl. One could probably use that (we're already using modules for DKIM and SPF, so why not)._______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
