Re: [dmarc-ietf] DMARC implementation Question

Mon, 27 Jan 2014 22:52:57 -0800 

On 01/28/2014 12:45 AM, Franck Martin wrote:


*From: *"Rolf E. Sonneveld" <r.e.sonnev...@sonnection.nl>

    *To: *"George Moje" <george.m...@computershare.com>,
    "dmarc@ietf.org" <dmarc@ietf.org>
    *Sent: *Monday, January 27, 2014 3:04:13 PM
    *Subject: *Re: [dmarc-ietf] DMARC implementation Question

    On 01/24/2014 02:18 PM, George Moje wrote:

        Currently we are using SPF records but no DKIM.  Can we
        implement DMARC with just SPF records?


    according to par. 3.1.3 of the DMARC spec
    (https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base)
    DMARC assumes an author to setup and apply DKIM signing.

    Apart from that: be very careful when using only SPF in
    combination with DMARC: please take into account that for DMARC
    there's no difference between an SPF -all, ~all and ?all
    situation. None of them provide a 'pass' for DMARC, if I read the
    spec correctly.

No,
If the policy is p=none, DMARC should not override the SPF policy (especially for -all), DMARC with p=none, does not change the way the email is treated in regards of SPF or ADSP. If p!=none then DMARC tells the receiver to not action on the SPF policy and tell the receiver to ignore ADSP, as DMARC will now tell how to handle the email.
Please re-read my message. I didn't mentioned a 'DMARC pass', I mentioned the result of SPF as input to the DMARC decision process. In that regard, neither SPF -all, nor ~all nor ?all give an 'SPF pass' input to DMARC. In addition to that, if the DNS lookup for the SPF record fails, it's up to the receiver to decide to give a tmpfail or a permanent fail. That was the reason I said: be careful when applying the combination SPF + DMARC without DKIM, as it may result in rejection of valid mail (in case p!=none).
However, regardless of the DMARC p=, DMARC takes the result of the SPF test (pass, soffail, fail,...) and if there is a pass, compare the domain used by SPF for its pass with the domain in the From:. If there is alignment then you have a DMARC pass. You don't need DKIM to have a DMARC pass.
you need to do SPF and DKIM on all your emails for p!=none, because in some cases SPF is more suitable than DKIM and vice versa, so you want the benefit of both. 

Right.

/rolf


_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Reply via email to