On 12/28/20 5:17 AM, Todd Herr wrote:
On Sat, Dec 26, 2020 at 6:48 PM Michael Thomas <m...@mtcc.com
<mailto:m...@mtcc.com>> wrote:
I installed this handy dandy t-bird dkim verifier extension which
also
allows you to just use the upstream auth-res. After fixing a bug
in it,
I could see that it lists DMARC as a fail when DKIM failed, but SPF
passed. The _dmarc record has p=none, so it seems really odd to call
that a DMARC failure. Shouldn't it just be using the appropriate
p= tag
instead of "fail"? Is this left over from when Auth-res was mainly
for dkim?
A DMARC pass verdict requires not only that SPF or DKIM pass, but also
that the SPF or DKIM domain in question align with the DMARC
(RFC5322.From) domain. A message such as the following:
* Return-Path: <f...@a.net <mailto:f...@a.net>>
* DKIM domain: b.org <http://b.org>
* From: b...@c.com <mailto:b...@c.com>
Can get an SPF pass for a.net <http://a.net> and have its DKIM
signature validate, but still fail DMARC for c.com <http://c.com>
because neither a.net <http://a.net> nor b.org <http://b.org> align
with c.com <http://c.com>.
Can you share the example auth-res header(s) in question along with
the DMARC policy record(s) for the message(s)?
Mail from this list is being set to DMARC=fail in the authentication
results even with _DMARC is set to "p=none". My mail provider -- google
-- is the one that is creating that auth-res. I just looked through
DMARC and AUTH-RES (rfc 7601) and couldn't find any guidance as to what
qualifies as "fail". Did I overlook something?
My feeling is that failure should be reserved only in the case where
both SPF and DKIM fail and that the p= > none. What I'd *really* like
from a UI standpoint is the p= value passed along as well so I can
decide to decorate reject differently from quarantine and none.
Mike
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
