Re: [dmarc-ietf] Ticket #1 - SPF alignment

Thu, 28 Jan 2021 04:13:26 -0800 

On Wed 27/Jan/2021 20:24:05 +0100 Scott Kitterman wrote:

On Wednesday, January 27, 2021 12:25:59 PM EST Alessandro Vesely wrote:


Can we fix this aberration?

The spec needs a fix anyway, because from the text I quoted above I
understood that the example message passes DMARC.  Am I the only one?

In addition, as I said, SPF filters are likely to report HELO as helo and
MAIL FROM as mailfrom.  If we want to carry over this quirk, the spec must
say that a DMARC filter which gathers SPF authentication status from an
upstream filter MUST make sure that mailfrom is empty before validating
based on an aligned helo.

Dropping that absurd discrimination between SPF identifiers would make for a
smoother spec.  Since non-null mailfroms are in most cases aligned with
either From: or helo, the differences between existing compliant
implementations and the smoother spec would be limited to a hardly
noticeable set of test messages.


Your absurd is my eminently reasonable.

I can't explain why it was added, but it makes sense, IMO, to have it there to
aid in reconstructing the exact situation for trouble shooting purposes.



Can you expand on how ignoring helo aids trouble shooting?



DMARC has always (for the SPF related portion) been about alignment of mail
from and from.  I don't think adding HELO has appreciable value and is
certainly not worth the added complexity to implement DMARC to include.




From an implementer POV, the complication stays in the idiosyncratic 
identifier processing.  I wonder how many do follow it strictly.  IMHO, a 
reasonable DMARC spec should either smooth out the discrimination or provide a 
clear explanation of why such peculiar processing is needed and what would 
happen if all identifiers were treated equal.




There are lots of ways that DMARC could have addressed SPF.  Personally I
thought it might make sense to skip using the mail from SPF result and just
check if the from address would pass if it were subjected to an SPF check, but
that's not the existing design.  I don't think it should be changed now.




Yeah, after you insisted, I vaguely recollected about an SPF argument that I 
had erased from memory.  I can't recall its merit.



DKIM'S d= are domains, and DKIM scope is exactly to identify a domain.  That's 
more akin to helo than mail from.



Best
Ale
--

























_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc



























					Reply via email to