On Sun, Apr 13, 2014 at 10:47 PM, Mark Sapiro <m...@msapiro.net> wrote: > On 04/13/2014 03:17 PM, Mark Sapiro wrote: >> On 04/13/2014 03:03 PM, Jim Popovitch wrote: >>> >>> DMARC checks alignment of *both* DKIM and SPF, if either is broken DMARC >>> fails. >>> >>>> SPF does not check the "From:" header line, and that's where the >>>> troubles begin with DMARC. >>> >>> SPF checks sending IPs (of which your IPs won't match Yahoo's, thus >>> breaking DMARC) >>> >>> Either an SPF failure or a DKIM failure will cause a DMARC rejection >>> if p=reject. >> >> >> I'm not sure that's correct. I've been testing this so many ways, I'm >> not sure what I'm seeing, but I think a reject requires BOTH DKIM and >> SPF to be absent or fail. If either passes, no DMARC reject occurs. > > > My reading of Sec 10.2 of the current draft DMARC standard > <https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base/> says that > either a valid DKIM signature or a valid SPF test is sufficient, but > only if the domains are aligned which means the DKIM signing domain or > the SPF envelope sender domain must match (in strict or relaxed mode) > that of the From: address. > > If one or more of the Authenticated Identifiers align > with the RFC5322.From domain, the message is considered to pass > the DMARC mechanism check. > > In particular, one's own SPF won't do because the domains won't align. >
I (now) agree with that, it's "either" not both that passes a dmarc check. Mailman always "breaks" dkim, so I never really considered what happens if dkim passes but spf doesn't. -Jim P. ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
