Although I said an evaluator could stop after SPF PASS, I don't think this
is a significant concern. Savvy evaluators will understand that DKIM PASS
is a higher-certainty result than SPF. I support requiring a compliant
implementation to always evaluate DKIM signatures, regardless of SPF result.
We are missing an opportunity if we do not include the HELO name along with
the IP address in the aggregate reports.I would also recommend asking
for fcDNS status (confirmed, not confirmed, not tested).
The report receiver could do the fcDNS check himself, but there is a
possibility that the r
Folks,
I started adding some text around the "Report-ID" format. I ran into a bit of
a hurdle, and thought it best to get group feedback. We decided a while ago to
add language that the "Report-ID", "msg-id", and "unique-id" were the same. In
the thread a few weeks ago, it was suggested the
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Domain-based Message Authentication, Reporting
& Conformance WG of the IETF.
Title : DMARC Aggregate Reporting
Author : Alex Brotman
Filename
I’ve been going back and forth on this a bit. On one side, I understand that
we’d like to know when a receiving site does not evaluate both SPF and DKIM. I
also am not sure I know of any (sizable?) site which short-circuits evaluation
after SPF. Given how much time receivers talk about separa
My thinking has evolved during this discussion:
We should reject Incomplete Results
If an evaluator has decided to do incomplete evaluation, we have to
consider the possibility that he may or may not collect enough information
to enumerate what signatures were not evaluated. So a signature resul
