On March 21, 2024 2:15:00 PM UTC, Todd Herr <todd.herr=40valimail....@dmarc.ietf.org> wrote: >On Thu, Mar 21, 2024 at 5:55 AM Alessandro Vesely <ves...@tana.it> wrote: > >> On Wed 20/Mar/2024 23:11:20 +0100 Matthäus Wander wrote: >> > Alessandro Vesely wrote on 2024-03-20 15:42: >> >> what is the result of DMARC on having, say >> >> >> >> dkim=pass (testing key) >> >> or >> >> dkim=policy (512 byte key) >> >> >> >> is that akin to SPF neutral, i.e. dmarc=fail? >> > >> > dkim=pass results in dmarc=pass (if the domain is aligned). The comment >> in >> > brackets is for human eyes and does not change the DMARC result. >> >> >> For t=y, DKIM says: >> >> y This domain is testing DKIM. Verifiers MUST NOT treat messages >> from Signers in testing mode differently from unsigned email, >> even should the signature fail to verify. Verifiers MAY wish >> to track testing mode results to assist the Signer. >> >> So reporting dkim=pass for testing keys seems to be a violation. >> >> >> > dkim=policy is like spf=neutral, i.e. dmarc=fail. >> >> >> Agreed. Should that be mentioned in DMARCbis? >> >> >I don't believe there's any need to discuss this topic in DMARCbis. > >DMARCbis, in section 4.1, DMARC Basics, says: > >=============================================================== > >A message satisfies the DMARC checks if at least one of the supported >authentication mechanisms:¶ <#section-4.1-3> > > 1. > > produces a "pass" result, and <#section-4.1-4.1.1> > 2. > > produces that result based on an identifier that is in alignment, as > described in Section 4.4 <#identifier-alignment-explained>. > >=============================================================== > >If there's anything to say about reporting a DKIM pass result for DKIM >signatures where t=y exists and its possible ramifications for DMARC, then >I believe that's something for an update RFC 6376 to address. >
Except that we added a DMARC testing flag in DMARCbis, right? It seems to me that it's reasonable to consider a test DKIM signature a pass for DMARC when the DMARC record says it's for testing, which would result in some sort of test pass result from DMARC. That would, however, be a mess for a variety of reasons. I think it would be reasonable to document on our document that this isn't how it works. DKIM provides an output of a signing domain and verified/not verified. DMARC requires a verified signature for an aligned domain to generate a pass result. As you suggest, I think the DKIM test flag is only a consideration for the DKIM verifier. Nothing to do with DMARC, so let's say that. Scott K _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
