On 8/18/2020 12:48 PM, Todd Herr wrote:
The race condition here is in item 5, "Emails that fail the DMARC mechanism check are disposed of in accordance with the discovered DMARC policy of the Domain Owner", specifically when both the Sender and From headers are present, the domains are different, both publish DMARC policies, and only one of the two domains passes DMARC validation checks for that message. In that case, the question of "Which policy to apply?", or more precisely, "Which validation check should be honored?" will really matter to the disposition of the message; if, for example, the From domain is at p=reject and fails, while the Sender domain publishes a policy with the required "snd" tag and passes, should the message be rejected or accepted?
So, yeah, the text for that needs significant changes. Thanks for raising this.
I was under some time pressure and merely copied that from the existing DMARC spec. In fact, I think that text in the DMARC spec isn't very good, so this would be a nice excuse for thinking through reasonable language carefully.
The basic issue, which creates the language challenge, is the receivers actually can and do do whatever they want. Language that pretends to dictate receiver action for this is unrealistic.
So the language should be cast in terms of the semantics of the information it is tossing into the receiver's analysis engine, rather than claiming to dictate receiver disposition of the message. IMO.
d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
