[dmarc-ietf] Multiple SPF in a single auth_results
I'm seeing a report where the XML contains two SPF records within a single auth_results entity. This doesn't seem correct. I found this thread: http://lists.dmarc.org/pipermail/dmarc-discuss/2016-April/003474.html and it says it's a bug, though, I'm a bit surprised (guess I probably shouldn't be) that this is still happening. Is there some part of the RFC that makes this appear like it's a legitimate report that could be misconstrued? Is this something that should perhaps be clarified? email.peacocktv.com pass bounce.email.peacocktv.com pass mta-218-134.sparkpostmail.com. none Thanks -- Alex Brotman Sr. Engineer, Anti-Abuse & Messaging Policy Comcast ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Multiple SPF in a single auth_results
Perhaps the first one is for the mail-from-domain and the other is for the EHLO host? Kind regards, Henning > -Original Message- > From: dmarc [mailto:dmarc-boun...@ietf.org] On Behalf Of Brotman, Alex > Sent: Montag, 14. Dezember 2020 16:35 > To: dmarc@ietf.org > Subject: [dmarc-ietf] Multiple SPF in a single auth_results > > I'm seeing a report where the XML contains two SPF records within a single > auth_results entity. This doesn't seem correct. I found this thread: > https://stack01.cloud.nospamproxy.com/link?id=BAgfpHeh4JGMq5wA > AABTUQz3QBhcskBhLXvN_sPByIkTUJ_191QbNMs1tjGZXePYW51PlsXJiHzgxa > 2k95gYKyEvascW0xCd7vkfXGIcW-SMik1X4yMySldQ- > qHoCA66NmA7TaPPuwEtF7ZPQYLlZqdD7I5R3KNSFh2RaMp6bqp2L8XhNLlAJK > uMYUKvKSh3RMIePwJj3aMWZVgoSUPgaHbNCkaiscGIUps1 and it says it's a > bug, though, I'm a bit surprised (guess I probably shouldn't be) that this is > still > happening. Is there some part of the RFC that makes this appear like it's a > legitimate report that could be misconstrued? Is this something that should > perhaps be clarified? > > > > email.peacocktv.com > pass > > > bounce.email.peacocktv.com > pass > > > mta-218-134.sparkpostmail.com. > none > > > > Thanks > > -- > Alex Brotman > Sr. Engineer, Anti-Abuse & Messaging Policy Comcast > > ___ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Multiple SPF in a single auth_results
In article you write: >I'm seeing a report where the XML contains two SPF records within a single >auth_results entity. This doesn't seem correct. It's specifically allowed in the XML schema. In this case I'd guess it is checking the From header domain, the org domain, and the bounce address. I see that bounce.email.peacocktv.com is a CNAME for sparkpostmail.com so it's plausible. Checking all those things seems useless but that doesn't mean it's forbidden. R's, John > > >email.peacocktv.com >pass > > >bounce.email.peacocktv.com >pass > > >mta-218-134.sparkpostmail.com. >none > > ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Multiple SPF in a single auth_results
On Mon, Dec 14, 2020 at 11:10 AM Henning Krause wrote: > Perhaps the first one is for the mail-from-domain and the other is for > the EHLO host? > > > > -Original Message- > > From: dmarc [mailto:dmarc-boun...@ietf.org] On Behalf Of Brotman, Alex > > > > > > bounce.email.peacocktv.com > > pass > > > > > > mta-218-134.sparkpostmail.com. > > none > > > I would tend to agree with Herr Krause, based on what I remember about SparkPost's host naming convention and such. -- *Todd Herr* | Sr. Technical Program Manager *e:* todd.h...@valimail.com *p:* 703.220.4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system. ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Multiple SPF in a single auth_results
On Mon 14/Dec/2020 20:17:37 +0100 John Levine wrote: In article you write: I'm seeing a report where the XML contains two SPF records within a single auth_results entity. This doesn't seem correct. It's specifically allowed in the XML schema. Yup: In this case I'd guess it is checking the From header domain, the org domain, and the bounce address. I see that bounce.email.peacocktv.com is a CNAME for sparkpostmail.com so it's plausible. One has to guess because the snippet misses the scope of the checked domains: In that sense, it is not correct. It should have been: email.peacocktv.com pass bounce.email.peacocktv.com mfrom pass mta-218-134.sparkpostmail.com. helo none Best Ale -- ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
