> >DMARC leverages the Mail From identity, so I don't see how independent HELO > >checks can be relevant.
> If you look at sections 2.3 and 2.4 of RFC 7208, a reasonable > interpretation is that you check the HELO identity, and if you get a > "definitive policy" result, you're done and return that to the caller. > So a message comes from host mail.provider.com with From: > b...@customer.com. The recipient host does an SPF check on > mail.provider.com, it passes, so SPF is done. DMARC sees that the SPF > domain isn't aligned so it ignores it, and DMARC says it's unaligned, > even though an SPF check of customer.com might have passed. > I can't say whether this is a bug in 7208 or a fundamental flaw in > DMARC, but something is clearly wrong and this does not match what > running code does. As things are written now, I don't see any way to > demand that SPF look at the MAIL FROM if it likes the HELO. > Fix 1: file an erratum on 7208 to say to switch the order, do the MAIL > FROM check first and only do the HELO check otherwise. This may match > some running code, I haven't looked. > Fix 2: change 7208 to say that SPF can return multiple results. Ugh. Filing an erratum for purposes of documenting the issue is fine, but since this is a substantive change to the protocol it far exceeds the scope of what approval of an erratum is allowed to do. As such, I believe the best outcome you can get here would be "held for document update". Ned _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc