On Wednesday, December 24, 2014 19:22:21 Franck Martin wrote: > ----- Original Message ----- > > > From: "Scott Kitterman" <skl...@kitterman.com> > > To: dmarc@ietf.org > > Sent: Wednesday, December 24, 2014 2:48:17 PM > > Subject: Re: [dmarc-ietf] Jim Fenton's review of -04 > > > > On Wednesday, December 24, 2014 10:46:42 Murray S. Kucherawy wrote: > > > On Wed, Dec 24, 2014 at 4:04 AM, Scott Kitterman <skl...@kitterman.com> > > > > > > wrote: > > > > The draft strongly encourages DMARC implementers to ignore SPF policy, > > > > so > > > > I don't think assuming messages will be deferred due only due to SPF > > > > or > > > > DKIM results indicating a temporary DNS error is appropriate. > > > > > > If there's a transient DNS error getting the SPF policy, then there's no > > > SPF policy to be ignored. That's quite a different situation. > > > > > > > I think that in the case of a temporary DNS error in one of the lower > > > > level protocols, insufficient inputs are available to conclude a > > > > message > > > > has failed DMARC tests. > > > > > > I agree. > > > > > > > Receivers can either ignore DMARC for this message due to incomplete > > > > evaluation or they can defer the message in the hope that the > > > > temporary > > > > error will be resolved when the message is retried. Receivers MUST > > > > NOT > > > > apply DMARC policy and reject or quarantine because the DMARC > > > > evaluation > > > > is > > > > incomplete. > > > > > > Can you provide specific changes, with section numbers, that you'd like > > > to > > > see applied to resolve this? > > > > Here's my suggestion. Replace this text at the end of section 5.6.2: > > Handling of messages for which SPF and/or DKIM evaluation encounters > > a DNS error is left to the discretion of the Mail Receiver. Further > > discussion is available in Section 5.6.3. > > > > with: > > Messages for which SPF and/or DKIM evaluation encounters a temporary > > DNS error have not received a definitive result for steps 3 and/or 4 > > above. > > If the message has not passed the the DMARC mechanism check due to > > an SPF or DKIM check that did not have a DNS error, receivers can > > either > > ignore DMARC for this message due to incomplete evaluation or they > > can defer the message in the hope that the temporary error will be > > resolved when the message is retried. Receivers MUST NOT apply DMARC > > policy and reject or quarantine the message because the DMARC > > evaluation is incomplete. When otherwise appropriate due to DMARC > > policy, receivers MAY send feedback reports regarding temporary errors. > > > > Handling of messages for which SPF and/or DKIM evaluation encounters > > a permanent DNS error is left to the discretion of the Mail Receiver. > > > > How's that? > > What about pointing it may be a security issue to let these messages > through?
It's a security risk to let any messages through. What text would you suggest for an addition to security considerations? Scott K _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
