On January 22, 2015 6:17:28 PM EST, John Levine <jo...@taugh.com> wrote: >>DMARC leverages the Mail From identity, so I don't see how independent >HELO checks can be relevant. > >If you look at sections 2.3 and 2.4 of RFC 7208, a reasonable >interpretation is that you check the HELO identity, and if you get a >"definitive policy" result, you're done and return that to the caller. > >So a message comes from host mail.provider.com with From: >b...@customer.com. The recipient host does an SPF check on >mail.provider.com, it passes, so SPF is done. DMARC sees that the SPF >domain isn't aligned so it ignores it, and DMARC says it's unaligned, >even though an SPF check of customer.com might have passed. > >I can't say whether this is a bug in 7208 or a fundamental flaw in >DMARC, but something is clearly wrong and this does not match what >running code does. As things are written now, I don't see any way to >demand that SPF look at the MAIL FROM if it likes the HELO. > >Fix 1: file an erratum on 7208 to say to switch the order, do the MAIL >FROM check first and only do the HELO check otherwise. This may match >some running code, I haven't looked. > >Fix 2: change 7208 to say that SPF can return multiple results. Ugh.
4408 and 7208 both suggest multiple calls to check_host() each with a single result. If I were configuring and SPF verifier to provide an input to DMARC processing, then I would probably configure it not to reject based on SPF fail. Then the problem doesn't arise. This really is a non-issue. Scott K _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc