> >DMARC leverages the Mail From identity, so I don't see how independent HELO
> >checks can be relevant.
> If you look at sections 2.3 and 2.4 of RFC 7208, a reasonable
> interpretation is that you check the HELO identity, and if you get a
> "definitive policy" result, you're done and return that to the caller.
> So a message comes from host mail.provider.com with From:
> b...@customer.com. The recipient host does an SPF check on
> mail.provider.com, it passes, so SPF is done. DMARC sees that the SPF
> domain isn't aligned so it ignores it, and DMARC says it's unaligned,
> even though an SPF check of customer.com might have passed.
> I can't say whether this is a bug in 7208 or a fundamental flaw in
> DMARC, but something is clearly wrong and this does not match what
> running code does. As things are written now, I don't see any way to
> demand that SPF look at the MAIL FROM if it likes the HELO.
> Fix 1: file an erratum on 7208 to say to switch the order, do the MAIL
> FROM check first and only do the HELO check otherwise. This may match
> some running code, I haven't looked.
> Fix 2: change 7208 to say that SPF can return multiple results. Ugh.
Filing an erratum for purposes of documenting the issue is fine, but since this
is a substantive change to the protocol it far exceeds the scope of what
approval of an erratum is allowed to do. As such, I believe the best outcome
you can get here would be "held for document update".
Ned
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
