Re: [dmarc-ietf] DMARC implementation Question
On 01/28/2014 02:52 PM, Rolf E. Sonneveld wrote: Please re-read my message. I didn't mentioned a 'DMARC pass', I mentioned the result of SPF as input to the DMARC decision process. In that regard, neither SPF -all, nor ~all nor ?all give an 'SPF pass' input to DMARC. While it is literally true that -all/~all/?all don't yield passes, this is not how most people would interpret your message: it comes across as though you are trying to claim that an SPF record with -all/~all/?all at the end of it can't yield a pass despite that clearly not being true (any SPF pass being a result of an earlier part of the record). In either case, this does not affect DMARC operation. When SPF evaluation passes, DMARC interprets that as a pass (for the 5321.MailFrom domain), regardless of which of -all/~all/?all is used, or even if none of them are used. It would be rather unusual to implement DMARC without DKIM, but is not impossible. I'd suggest that the more important question is what the OP is trying to achieve with DMARC in the first place. Given that they don't have DKIM implemented they presumably don't have a spoofing problem, in which case DMARC is of limited value other than for monitoring (in which case the absence of DKIM isn't a problem). - Roland ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] DMARC implementation Question
On 01/28/2014 12:45 AM, Franck Martin wrote: *From: *"Rolf E. Sonneveld" *To: *"George Moje" , "dmarc@ietf.org" *Sent: *Monday, January 27, 2014 3:04:13 PM *Subject: *Re: [dmarc-ietf] DMARC implementation Question On 01/24/2014 02:18 PM, George Moje wrote: Currently we are using SPF records but no DKIM. Can we implement DMARC with just SPF records? according to par. 3.1.3 of the DMARC spec (https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base) DMARC assumes an author to setup and apply DKIM signing. Apart from that: be very careful when using only SPF in combination with DMARC: please take into account that for DMARC there's no difference between an SPF -all, ~all and ?all situation. None of them provide a 'pass' for DMARC, if I read the spec correctly. No, If the policy is p=none, DMARC should not override the SPF policy (especially for -all), DMARC with p=none, does not change the way the email is treated in regards of SPF or ADSP. If p!=none then DMARC tells the receiver to not action on the SPF policy and tell the receiver to ignore ADSP, as DMARC will now tell how to handle the email. Please re-read my message. I didn't mentioned a 'DMARC pass', I mentioned the result of SPF as input to the DMARC decision process. In that regard, neither SPF -all, nor ~all nor ?all give an 'SPF pass' input to DMARC. In addition to that, if the DNS lookup for the SPF record fails, it's up to the receiver to decide to give a tmpfail or a permanent fail. That was the reason I said: be careful when applying the combination SPF + DMARC without DKIM, as it may result in rejection of valid mail (in case p!=none). However, regardless of the DMARC p=, DMARC takes the result of the SPF test (pass, soffail, fail,...) and if there is a pass, compare the domain used by SPF for its pass with the domain in the From:. If there is alignment then you have a DMARC pass. You don't need DKIM to have a DMARC pass. you need to do SPF and DKIM on all your emails for p!=none, because in some cases SPF is more suitable than DKIM and vice versa, so you want the benefit of both. Right. /rolf ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] DMARC implementation Question
On 01/24/2014 09:18 PM, George Moje wrote: Currently we are using SPF records but no DKIM. Can we implement DMARC with just SPF records? Absolutely, in fact publishing a DMARC p=none record is a worthwhile step ahead of implementing SPF or DKIM in that it allows you to discover quickly (and to monitor) whether you have serious issues with your deployment. A more important question might be this: what are you aiming to achieve by implementing DMARC? If you've not implemented DKIM, you presumably don't have a spoofing problem at present. - Roland ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] DMARC implementation Question
- Original Message - > From: "Rolf E. Sonneveld" > To: "George Moje" , "dmarc@ietf.org" > > Sent: Monday, January 27, 2014 3:04:13 PM > Subject: Re: [dmarc-ietf] DMARC implementation Question > On 01/24/2014 02:18 PM, George Moje wrote: > > Currently we are using SPF records but no DKIM. Can we implement DMARC with > > just SPF records? > > according to par. 3.1.3 of the DMARC spec ( > https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base ) DMARC assumes > an author to setup and apply DKIM signing. > Apart from that: be very careful when using only SPF in combination with > DMARC: please take into account that for DMARC there's no difference between > an SPF -all, ~all and ?all situation. None of them provide a 'pass' for > DMARC, if I read the spec correctly. No, If the policy is p=none, DMARC should not override the SPF policy (especially for -all), DMARC with p=none, does not change the way the email is treated in regards of SPF or ADSP. If p!=none then DMARC tells the receiver to not action on the SPF policy and tell the receiver to ignore ADSP, as DMARC will now tell how to handle the email. However, regardless of the DMARC p=, DMARC takes the result of the SPF test (pass, soffail, fail,...) and if there is a pass, compare the domain used by SPF for its pass with the domain in the From:. If there is alignment then you have a DMARC pass. You don't need DKIM to have a DMARC pass. you need to do SPF and DKIM on all your emails for p!=none, because in some cases SPF is more suitable than DKIM and vice versa, so you want the benefit of both. ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] DMARC implementation Question
On 01/24/2014 02:18 PM, George Moje wrote: Currently we are using SPF records but no DKIM. Can we implement DMARC with just SPF records? according to par. 3.1.3 of the DMARC spec (https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base) DMARC assumes an author to setup and apply DKIM signing. Apart from that: be very careful when using only SPF in combination with DMARC: please take into account that for DMARC there's no difference between an SPF -all, ~all and ?all situation. None of them provide a 'pass' for DMARC, if I read the spec correctly. /rolf ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
