On Sat, Dec 26, 2020 at 6:48 PM Michael Thomas <m...@mtcc.com> wrote:
> > I installed this handy dandy t-bird dkim verifier extension which also > allows you to just use the upstream auth-res. After fixing a bug in it, > I could see that it lists DMARC as a fail when DKIM failed, but SPF > passed. The _dmarc record has p=none, so it seems really odd to call > that a DMARC failure. Shouldn't it just be using the appropriate p= tag > instead of "fail"? Is this left over from when Auth-res was mainly for > dkim? > > A DMARC pass verdict requires not only that SPF or DKIM pass, but also that the SPF or DKIM domain in question align with the DMARC (RFC5322.From) domain. A message such as the following: - Return-Path: <f...@a.net> - DKIM domain: b.org - From: b...@c.com Can get an SPF pass for a.net and have its DKIM signature validate, but still fail DMARC for c.com because neither a.net nor b.org align with c.com. Can you share the example auth-res header(s) in question along with the DMARC policy record(s) for the message(s)? -- *Todd Herr* | Sr. Technical Program Manager *e:* todd.h...@valimail.com *p:* 703.220.4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
