On Mon 25/Jan/2021 22:35:09 +0100 Scott Kitterman wrote:
On Monday, January 25, 2021 4:04:33 PM EST Todd Herr wrote:
May I propose that the section labeled "SPF-Authenticated Identifiers" be
rewritten as follows:
[...]
The reader should note that SPF alignment checks in DMARC rely solely
on the RFC5321.MailFrom domain. This differs from section 2.3 of
[@!RFC7208], which recommends that SPF checks be done on not only the
"MAIL FROM" but also on a separate check of the "HELO" identity. >
I think this is fine, but there is a subtlety to be aware of.
If you look at RFC 7208 Section 2.4, when Mail From is null, postmaster@HELO
is the mail from for SPF purposes. DMARC really can't change that.
As a result, there are cases where Mail From results actually are derived from
HELO and it's unavoidable.
I doubt that SPF filters report envelope-from=postmaster@HELO; more likely they
write helo=HELO. In that case, the paragraph quoted above is deceptive.
I believe the proposed text is clear enough about not using separate HELO
identity results and that's appropriate.
My filter collects SPF results recorded from an upstream SPF filter. It writes
Received-SPF: lines for each identity. For NDNs, it writes a Received-SPF: for
the HELO identity only. Am I allowed to use that result for DMARC?
Best
Ale
--
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
