On Jan 6, Murray S. Kucherawy confirmed fixing the reference for the SPF RFC from the now-obsolete 4408 to 7208 ("Fixed in -11").
However, -12 still has, in section "3.1. Identifier Alignment": For example, [DKIM] authenticates the domain that affixed a signature to the message, while [SPF] authenticates either the domain that appears in the RFC5321.MailFrom portion of [SMTP] or the RFC5321.EHLO/HELO domain if the RFC5321.MailFrom is null (in the case of Delivery Status Notifications). Actually, RFC 7208 states that: Checking "HELO" before "MAIL FROM" is the RECOMMENDED sequence if both are checked. ... and implies that if the first check passes, the second is unnecessary: If a conclusive determination about the message can be made based on a check of "HELO", then the use of DNS resources to process the typically more complex "MAIL FROM" can be avoided. So the RFC5321.EHLO/HELO domain is checked not only if the RFC5321.MailFrom is null - in fact in cases where sites have followed the RFC 7208 recommendation, it will be checked first, at least by a "pure SPF" implementation. This means, first of all, that the -12 text above needs fixing. But also, I'm struggling with what it means for alignment. I can think of some real-life cases where only one of HELO or MAIL FROM aligns with RFC5322.From, even though both would "pass" in a pure SPF check. IMHO, Section "3.1.2. SPF-authenticated Identifiers" needs to be clarified to better take HELO into account. I'd like to see an approach similar to that for DKIM, where it is explicitly stated that: a single email can contain multiple DKIM signatures, and it is considered to be a DMARC "pass" if any DKIM signature is aligned and verifies. Similarly, I think that for SPF, it should be considered a pass if either the MAIL FROM or the HELO is aligned and results in a pass at the SPF level. But whether it is decided to take into account both HELO and MAIL FROM, or whether it is decided to ignore HELO (modulo its use to construct an artificial MAIL FROM if the latter is null), the text should IMHO make this clear one way or another, both in "3.1.2. SPF-authenticated Identifiers": In relaxed mode, the [SPF]-authenticated domain and RFC5322.From domain must have the same Organizational Domain. In strict mode, only an exact DNS domain match is considered to produce identifier alignment. ... and in "4.1. Authentication Mechanisms": o [SPF], which authenticates the domain found in an [SMTP] MAIL command when it is the authorized domain. In both cases, the text should specifically mention HELO, and whether to include or exclude a HELO SPF result, in view of HELO's prominence in RFC 7208. If it is decided to allow both HELO and MAIL FROM results to be passed back to DMARC, then in section "6.6.2. Determine Handling Policy", item 4 should be updated to reflect that as well. Anne. -- Ms. Anne Bennett, Senior Sysadmin, ENCS, Concordia University, Montreal H3G 1M8 a...@encs.concordia.ca +1 514 848-2424 x2285 _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc