On Tue, Dec 29, 2020 at 1:29 PM Michael Thomas <m...@mtcc.com> wrote:
> > On 12/29/20 10:01 AM, Todd Herr wrote: > > On Tue, Dec 29, 2020 at 12:48 PM Michael Thomas <m...@mtcc.com> wrote: > >> >> On 12/29/20 9:18 AM, Todd Herr wrote: >> >> >> The intent of the p= value is for the domain owner to communicate a >> request for message handling by the entity evaluation the DMARC results; a >> policy of p=none means "please treat this message the same as you would >> have if you hadn't performed a DMARC check on it, regardless of the result >> obtained from the check". >> >> Right, but that is not what Google at least is doing in their Auth-res. >> It's marking it as DMARC=fail. >> > I'm sorry, but I just don't do well with abstract concepts. Could you > please favor me with an example Authentication-Results header that's got > you vexed, so that I might understand what you're seeing? > > I just posted an example. > > > Again, the result of the validation check is independent of the p= value in the published policy. The p= value is a request by the domain owner for handling based on the validation check results. Let's look at your example: Return-Path: <dmarc-boun...@ietf.org> <dmarc-boun...@ietf.org> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1609263631; bh=EGQWffHXRQ6gspv6YxtmRG6Fn28UIhBFVLnT2fAWP+A=; h=From:Date:In-reply-to:References:To:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: Cc; b=aayvF8PgSyzrXOZYbNxAumLnlLbDQalrt4v/c80QwqvBZwDP3pKlwFBsokgbGdqyj NAzqqsrLPPXsYkTNPzmpsQmBkHhz9i+qWILS4DjGJEhDwtrz0X6PKXTLDVHgfUxgRt az2SiD/+IPA7iMqhsjjuerYU9UNIlD/Iq4dNtW3M= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1609263624; bh=EGQWffHXRQ6gspv6YxtmRG6Fn28UIhBFVLnT2fAWP+A=; h=From:Date:In-reply-to:References:To:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: Cc; b=PwU4/yuQPAZwBP5tbjxZEG1gunIJDSOkf7BOD5fFeiB9+0Kr9B5jxtcsdj8tncl0E PA0Fes+JZac4PX4NFJhQnXyP81gDZckIysH8SV6r3wUy9zxheqUWa0+OpsOaZTcU14 yPn4VMb1pn4H7YHpQfKDEgn6eKmQUfXq6jwZ9wSE= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mrochek.com; s=201712; t=1609263318; bh=ewHxwhE1IkhylbN6K9Ju/+CBAakzJSsXNExHQ9KhZnU=; h=From:Cc:Date:Subject:In-reply-to:References:To:From; b=PRr8Q7ZvkBTBM2pDFoj11yUAiARLH0Rdv/x6rtkAkorFjOltlWqOIa5XHklqPQ0zC IqZveNoYHzmwN9COu1NWEjWUI7TDAW5YoOpJwWtMmfqHvTOIOSfrOkH6Fh5KFR27Ly cKgMVOS40Foj24fHUoCMNqGHOaZttR+5IbF+Kqkg= From: ned+dm...@mrochek.com Authentication-Results: mx.google.com; dkim=pass header.i=@ietf.org header.s=ietf1 header.b=aayvF8Pg; dkim=pass header.i=@ietf.org header.s=ietf1 header.b="PwU4/yuQ"; dkim=neutral (body hash did not verify) header.i=@mrochek.com header.s=201712 header.b=PRr8Q7Zv; spf=pass (google.com: domain of dmarc-boun...@ietf.org designates 4.31.198.44 as permitted sender) smtp.mailfrom=dmarc-boun...@ietf.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mrochek.com So, we have a message where: - SPF passed, with the Return-Path domain of ietf.org - DKIM passed (twice), with a DKIM signing domain of ietf.org - DKIM did not pass, with a DKIM signing domain of mrocheck.com - The RFC5322.From domain is mrochek.com, which publishes a DMARC policy record - A DMARC authentication check was done, and it failed, because neither SPF nor DKIM passed with a domain that aligned with mrochek.com. None of the validation checks bothered with the p= value in the mrochek.com DMARC policy record, because the p= value is immaterial to the validation check. Whether DMARC passes or fails is based on whether SPF or DKIM passes or fails with an aligned domain, full stop. Once the DMARC validation result is determined, then the mailbox provider or entity performing the DMARC validation check can refer to the p= value in determining how to dispose of the message, but it doesn't have to. It's worth noting perhaps that Google does record message disposition in the auth-res header, though: dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mrochek.com As I understand it, the p= in that part of the header is the published policy, the sp= is the published policy for any subdomains, and dis= is the disposition for the message. In this case, the disposition was the same as the policy, but it's not always so; here's a bit from a message in my Gmail spam folder: dmarc=fail (p=REJECT sp=REJECT dis=QUARANTINE) In this case, DMARC validation checks failed for the message, and the published policy for the domain in question was p=reject, but the message was routed to my spam folder (dis=QUARANTINE) -- *Todd Herr* | Sr. Technical Program Manager *e:* todd.h...@valimail.com *p:* 703.220.4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc