On 12/01/2013 04:36 PM, Franck Martin wrote: > Murray, > > Raman was talking when the return-path is empty like for bounces.
Right. > DMARC follows SPF and uses for alignment whatever SPF used to give a > result. So when there is a return path, this is the domain in the > return-path (envelope from) otherwise when the return-path is empty > this is the domain in the helo/ehlo. > > From the text below from Raman, which describes the way DMARC works > accurately, I'm not sure what alternate behavior DMARC should have? The alternate behavior could be: DMARC alignment rules for RFC5322.From would apply when there is an RFC521.MailFrom address available. Otherwise, DMARC falls back to the regular DKIM and/or SPF identification rules. See below. > May be the issue is: "The host in bar.com <http://bar.com> is a valid > SPF sender for domain foo.com". However I have no idea how you can > infer this statement programatically. There is no DNS record today > that allows you to infer it (?). I may have stated the initial situation slightly incorrectly. I should have said: the evaluation of the SPF record linked to the HELO/EHLO FQDN was valid. See, for example: http://www.openspf.org/FAQ/Common_mistakes#helo In this case, the SPF evaluation based on the HELO/EHLO identification and linked record is that the email is valid, but the extra DMARC alignment rules cause a DMARC failure, since the HELO/EHLO domain does not match the RFC5322.From domain. If there was no DMARC RFC5322.From alignment rule against the SPF HELO/EHLO identification in this case, is there a new abuse vector? Regards, Raman > On Nov 30, 2013, at 10:39 PM, Murray S. Kucherawy <superu...@gmail.com > <mailto:superu...@gmail.com>> wrote: > >> Any other input on this point? DMARC currently only considers the >> SPF result if there is alignment between the return path and the >> From field. >> >> >> On Mon, Sep 2, 2013 at 3:42 PM, Raman Gupta <rocketra...@gmail.com >> <mailto:rocketra...@gmail.com>> wrote: >> >> I encountered a use case recently with an auto-generated email >> with RFC5322.From domain foo.com <http://foo.com/>, sent from a >> host in domain bar.com <http://bar.com/>. Because the email was >> auto-generated by sieve, it contained a null return path. The >> host in bar.com <http://bar.com/> is a valid SPF sender for >> domain foo.com <http://foo.com/>. >> >> DMARC failed the SPF check despite the valid SPF, since the >> RFC5322.From address was not aligned with the domain bar.com >> <http://bar.com/> extracted from the HELO/EHLO. >> >> A valid way to circumvent this problem is to use DKIM signing, >> aligned with foo.com <http://foo.com/>, in which case DMARC is >> designed to ignore the SPF failure and pass overall. >> >> However, I do think this is a valid situation which the SPF >> alignment rules should consider. >> >> I hope I have explained this sufficiently. Thank you to Steven >> Jones and Scott Kitterman and others on the dmarc-discuss list >> for clarifying the situation presented here. >> >> Regards, >> Raman Gupta >> Principal >> VIVO Systems >> _______________________________________________ >> dmarc mailing list >> dmarc@ietf.org <mailto:dmarc@ietf.org> >> https://www.ietf.org/mailman/listinfo/dmarc _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc