On 10/17/2017 05:07 PM, Mark Sapiro wrote:
The reference is the DMARC standard RFC 7489 <https://www.rfc-editor.org/rfc/rfc7489.txt>.
I need to go back and re-read that again.
It's more complicated than the above. There is a concept of domain alignment. Alignment is satisfied in either "strict" or relaxed "mode". A dmarc policy record may optionally specify either mode for DKIM alignment or SPF alignment or both with the default being "relaxed.
My brain is failing to translate "corresponding organizational domains" to "sub-domains" properly and what that means for strict vs relaxed.
For a message to pass DMARC it must meet 1 of 2 requirements. 1) It must possess a valid DKIM signature from a domain aligned with the From: domain. In strict mode aligned means equal. In relaxed mode aligned means the corresponding organizational domains are equal. or 2) It must pass SPF. SPF works on the domain of the SMTP envelope from. Thus for SPF to pass, that domain must publish an SPF record specifying the IP of the sending server as a permitted sender. Further, for DMARC the envelope from (SPF) domain must align with the From: domain. Again, in strict mode aligned means equal. In relaxed mode aligned means the corresponding organizational domains are equal.
As I was reading this, I realized that I may have conflated DMARC reporting with DMARC pass / fail.
Note that if you are relaying mail, SPF probably will pass for your server if the envelope from domain is your server, but it won't align with an unmunged From: domain and if it does align because you didn't rewrite it, SPF will fail unless the original sending domain publishes SPF that permits your server as a sender.
*nod*
So the bottom line is as an "unaffiliated" relay without munging From:, SPF will never pass for DMARC and DKIM will only pass if you don't transform the message in ways that break the From: domain's DKIM signature.
I assume that you're talking about the SMTP envelope from and not the From: header.
There is a remote possibility that the originating domain that publishes a DMARC policy relies on SPF and doesn't DKIM sign the message in which case, unmumged, relayed mail will almost certainly fail DMARC.
I know someone who is doing exactly that, purely for the purpose of receiving the feedback reports.
-- Grant. . . . unix || die
------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
