For all the reasons you have observed, PERMERROR is the optimal result. This makes it clear that this is a special case which requires special handling.
As for the concept, I disagree about it being a useful feature. Any configuration that does not occur at least once in every 100 million messages is not something that should be used. We cannot say that it is prohibited without creating a layer violation, so PERMERROR is the next best thing. Gmail has been blocking dual-from messages for years, so the practice has effectively been deprecated by the one player who is able to make these decisions unilaterally and make them stick. Doug Foster On Thu, Nov 10, 2022 at 12:26 PM Alessandro Vesely <ves...@tana.it> wrote: > On Thu 10/Nov/2022 18:21:55 +0100 Alessandro Vesely wrote: > > On Thu 10/Nov/2022 18:00:41 +0100 John Levine wrote: > >>>>> Does it mean that it is enough to add a second mailbox in order to > have > >>>>> the failure of the relevant DKIM signature become unmeaningful and > accept > >>>>> with dmarc=none? > >>>> > >>>> No, of course not. > >>> > >>> But then, what should a mail filter do when it meets one? > >> > >> Do whatever it does when there's no DMARC info. > > > > > > From: Your Bank <dmarc-protected@bank.example>, " skip DMARC" > <he.he@spammer.example> > > > The MUA ate the spaces. Perhaps: > > From: Your Bank <dmarc-protected@bank.example>, > "_____________________________skip DMARC" <he.he@spammer.example> > > > The signature fails, so it is treated as if there weren't any. The Bank's > policy is not looked up. > > > Best > Ale > -- > > > > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc