This is DMARC -- the HELO domain has to match the header From: and there
has to be an SPF record that validates it.
True, but only if the MAIL FROM address is null and there isn’t a valid
aligned DKIM signature.
True, but I don't see why that matters.
The most plausible case is that it's a bounce messsage
From: mailer-dae...@mta27.foo.bar.example.com
the MAIL FROM is null, HELO is mta27.foo.bar.example.com, and the SPF
record for mta27.foo.bar.com says that IP is OK.
So in this case, why involve the HELO at all? One could just check the SPF
record of the header From: that it’s trying to align with. Except that’s
probably SenderID, not SPF.
Because that's how DMARC works. The header From has to match a DKIM or
SPF identity.
Part of the problem here is that DMARC generally sits on top of an SPF
library which doesn't tell you how it got its result. My DMARC code just
calls the SPF library and uses the result. I suppose I could put in a
hack to say don't use the SPF result if the MAIL FROM is null, but I don't
think that's what 7489 says.
Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
