On Tue, Dec 29, 2020 at 1:29 PM Michael Thomas <m...@mtcc.com> wrote:
>
> On 12/29/20 10:01 AM, Todd Herr wrote:
>
> On Tue, Dec 29, 2020 at 12:48 PM Michael Thomas <m...@mtcc.com> wrote:
>
>>
>> On 12/29/20 9:18 AM, Todd Herr wrote:
>>
>>
>> The intent of the p= value is for the domain owner to communicate a
>> request for message handling by the entity evaluation the DMARC results; a
>> policy of p=none means "please treat this message the same as you would
>> have if you hadn't performed a DMARC check on it, regardless of the result
>> obtained from the check".
>>
>> Right, but that is not what Google at least is doing in their Auth-res.
>> It's marking it as DMARC=fail.
>>
> I'm sorry, but I just don't do well with abstract concepts. Could you
> please favor me with an example Authentication-Results header that's got
> you vexed, so that I might understand what you're seeing?
>
> I just posted an example.
>
>
> Again, the result of the validation check is independent of the p= value
in the published policy. The p= value is a request by the domain owner for
handling based on the validation check results.
Let's look at your example:
Return-Path: <dmarc-boun...@ietf.org> <dmarc-boun...@ietf.org>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1;
t=1609263631; bh=EGQWffHXRQ6gspv6YxtmRG6Fn28UIhBFVLnT2fAWP+A=;
h=From:Date:In-reply-to:References:To:Subject:List-Id:
List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
Cc;
b=aayvF8PgSyzrXOZYbNxAumLnlLbDQalrt4v/c80QwqvBZwDP3pKlwFBsokgbGdqyj
NAzqqsrLPPXsYkTNPzmpsQmBkHhz9i+qWILS4DjGJEhDwtrz0X6PKXTLDVHgfUxgRt
az2SiD/+IPA7iMqhsjjuerYU9UNIlD/Iq4dNtW3M=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1;
t=1609263624; bh=EGQWffHXRQ6gspv6YxtmRG6Fn28UIhBFVLnT2fAWP+A=;
h=From:Date:In-reply-to:References:To:Subject:List-Id:
List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
Cc;
b=PwU4/yuQPAZwBP5tbjxZEG1gunIJDSOkf7BOD5fFeiB9+0Kr9B5jxtcsdj8tncl0E
PA0Fes+JZac4PX4NFJhQnXyP81gDZckIysH8SV6r3wUy9zxheqUWa0+OpsOaZTcU14
yPn4VMb1pn4H7YHpQfKDEgn6eKmQUfXq6jwZ9wSE=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mrochek.com; s=201712;
t=1609263318; bh=ewHxwhE1IkhylbN6K9Ju/+CBAakzJSsXNExHQ9KhZnU=;
h=From:Cc:Date:Subject:In-reply-to:References:To:From;
b=PRr8Q7ZvkBTBM2pDFoj11yUAiARLH0Rdv/x6rtkAkorFjOltlWqOIa5XHklqPQ0zC
IqZveNoYHzmwN9COu1NWEjWUI7TDAW5YoOpJwWtMmfqHvTOIOSfrOkH6Fh5KFR27Ly
cKgMVOS40Foj24fHUoCMNqGHOaZttR+5IbF+Kqkg=
From: ned+dm...@mrochek.com
Authentication-Results: mx.google.com;
dkim=pass header.i=@ietf.org header.s=ietf1 header.b=aayvF8Pg;
dkim=pass header.i=@ietf.org header.s=ietf1 header.b="PwU4/yuQ";
dkim=neutral (body hash did not verify) header.i=@mrochek.com
header.s=201712 header.b=PRr8Q7Zv;
spf=pass (google.com: domain of dmarc-boun...@ietf.org
designates 4.31.198.44 as permitted sender)
smtp.mailfrom=dmarc-boun...@ietf.org;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mrochek.com
So, we have a message where:
- SPF passed, with the Return-Path domain of ietf.org
- DKIM passed (twice), with a DKIM signing domain of ietf.org
- DKIM did not pass, with a DKIM signing domain of mrocheck.com
- The RFC5322.From domain is mrochek.com, which publishes a DMARC
policy record
- A DMARC authentication check was done, and it failed, because
neither SPF nor DKIM passed with a domain that aligned with
mrochek.com.
None of the validation checks bothered with the p= value in the
mrochek.com DMARC policy record, because the p= value is immaterial to
the validation check. Whether DMARC passes or fails is based on
whether SPF or DKIM passes or fails with an aligned domain, full stop.
Once the DMARC validation result is determined, then the mailbox
provider or entity performing the DMARC validation check can refer to
the p= value in determining how to dispose of the message, but it
doesn't have to. It's worth noting perhaps that Google does record
message disposition in the auth-res header, though:
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mrochek.com
As I understand it, the p= in that part of the header is the published
policy, the sp= is the published policy for any subdomains, and dis=
is the disposition for the message. In this case, the disposition was
the same as the policy, but it's not always so; here's a bit from a
message in my Gmail spam folder:
dmarc=fail (p=REJECT sp=REJECT dis=QUARANTINE)
In this case, DMARC validation checks failed for the message, and the
published policy for the domain in question was p=reject, but the
message was routed to my spam folder (dis=QUARANTINE)
--
*Todd Herr* | Sr. Technical Program Manager
*e:* todd.h...@valimail.com
*p:* 703.220.4153
This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
