On 7/14/23 11:20 AM, Slavko via mailop wrote:
Hi,
Hi Slavko,
Possible? Yes. Expected? Hard to tell... See latter.
From which point of view?
My experience is that hard and fast usually surfaces errors much closer
to the time they are introduced.
Conversely soft and slow usually causes errors to surface much later,
frequently after the change that introduced the error has left the
brains cache. I usually see soft and slow errors written off as "I
don't know what caused that, I'll dig deeper if / when it happens
again." Thus becoming a circular loop.
With this in mind, my opinion is that hard and fast is often better /
less problematic in the long term.
We all are doing mistakes...
Yep.
I assume that you are aware of DMARC checking, as defined in RFC 7489,
thus i shorten only important parts. The receiver:
1. gets MIME From: domain
1. gets DMARC policy
2. does DKIM check
3. does SPF check
4. does alignment check
5. applies policy
My understanding of that RFC is that both, SPF/DKIM checks happens
as part of DMARC.
Maybe. Not always.
The DMARC implementations that I use don't do the SPF nor DKIM checks
themselves. Instead there are other independent filters that do those
before the DMARC filter and the DMARC filter uses the results from those
tests.
That RFC clearly states, that fail ("-all") can be applied by **some**
receivers before DMARC checks. I understand that section to be
included as note, that not all receivers does DMARC checks, not
as suggestion to do that before DMARC. Am i wrong?
I'm fairly certain that SPF checks significantly pre-date DMARC.
Just because something can be done as part of DMARC doesn't mean that it
has to be done as part of DMARC.
My understanding is, that DMARC compliant receivers doesn't
do independent SPF/DKIM checks, they are done as part of
DMARC (see diagram in RFC). But doing these independed checks
is is not exactly prohibited, which IMO really lacks there.
Why does the SPF check need to wait until the DMARC check which needs
the body (DATA)?
Why can't SPF be checked very much earlier at the MAIL FROM stage before
the body (DATA) is sent?
Of course, where i wrote independent check, i mean apply
result too.
Agree, but i don't extract bussines to separate category.
There's businesses hosting their own email which only effects them and
then there are businesses that host other people's email as a service.
I think the two are quite different in many regards. E.g. Google does
things quite differently for @google.com email than their Gmail product
does for @gmail.com email. GSuite hosted email is even more different.
Yes, starting without encryption is good. It makes debuging/learning
significantly simpler.
:-)
I remember my 28.8 kbit/s modem and download 50 MB MySQL
upgrade as whole day task ;-)
:-)
eg. MTA are prohibited to modify message. But yes they do it...
I question the veracity of that.
Sometimes MTAs are forced to modify messages. I usually see it when the
MSA or upstream MTAs support 8BITMIME and downstream MTA(s) don't. Thus
the last 8BITMIME supporting MTA *MUST* convert to 7-bit messages if the
sender utilized 8BITMIME.
I know that there are other scenarios where an MTA will alter a message
in transit. This is one of the reasons why DKIM has relaxed and simple
canonicalization.
I was not enough clear, these instances are not running on the same host
(container) for the same reasons as you mentioned, sorry.
Thank you for clarifying.
regards
:-)
Thank you and have a good day,
Grant. . . .
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop