On Sun, Mar 31, 2024 at 5:22 AM Douglas Foster < dougfoster.emailstanda...@gmail.com> wrote:
> On SPF, our document should say simply, > " a DMARC-compliant evaluator MUST NOT reject a message, based on SPF > result, prior to receiving the Data section and checking for aligned and > verifiable signatures." > > Of course, evaluators may still reject early base on known-bad server or > known-bad Mail From domain, but not based on SPF alone. > > I weary of the notion that the solution to all authentication problems is > to stop authenticating. > I suggest that we need to be clear on what "evaluator" is in that sentence. I think the proposed text makes architectural assumptions that may not be universally true. For instance, an upstream SPF filter might do something dispositive to the message before the DMARC implementation even gets a chance to see the body. So if "evaluator" is the DMARC implementation specifically, we don't know if it's compliant or not because it never got a chance to see the message body (the DATA section). But if "evaluator" is the operator's overall receiving function, of which both of those implementations are a part, then I think that assertion is probably correct. Overall, I would hope that operators understand that DKIM (and thus DMARC) can't be evaluated if the message is rejected before the body arrives, but I suppose it can't hurt to remind them. -MSK, p11g
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc