On 04/27/2014 11:00 AM, Richard Damon wrote: > One question I have had over how this works is why SPF is added to the > mix. If the message passes SPF, then it has come directly from a server > that is supposedly controlled by the sending provider. Said server > should have been able to DKIM sign the message, so you should never see > a message that passes SPF but fails DKIM.
SPF applies to the domain of the envelope sender, not the From: address. It only says that the server that delivered this message is authorized (or not) for the domain of the envelope sender. > Was that option just put in to allow an organization to just implement > SPF (and ignore DKIM), but change SPF to require the alignment to From: ? I think the intent is that any domain that implements a DMARC policy will both publish SPF and DKIM sign, but the draft spec explicitly allows for the sending domain to not do both[1]. For a DMARC test to succeed either SPF must pass and the SPF domain must align with the From: domain or there must be a valid DKIM signature with a d= domain aligned with the From: domain. Note that this doesn't represent any change in either SPF or DKIM. It is just an additional requirement on the domains of these tests. So, if a relay modifies the domain of the envelope sender, e.g. like most mailing lists changes it to some bounce@my.domain, SPF may pass, but the domains won't align. For SPF to allow the message to pass DMARC validation, the envelope sender's domain must align with the From: domain and the server which delivered the mail to the recipient MTA must be authorized by the SPF of the envelope sender's domain. [1] From sec 10.2 of the draft spec. Heuristics applied in the absence of use by a Domain Owner of either SPF or DKIM (e.g., [Best-Guess-SPF]) SHOULD NOT be used, as it may be the case that the Domain Owner wishes a Message Receiver not to consider the results of that underlying authentication protocol at all. -- Mark Sapiro <m...@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org