On 12/29/2014 7:26 AM, MH Michael Hammer (5304) wrote: > It's still not quite right: > > DMARC evaluation can only complete and yield a "pass" result when one > > > of the underlying authentication mechanisms passes for an aligned > > identifier. If this is not the case and either or both of them > > suffered some kind of temporary error (such as a transient DNS > > problem), the Receiver evaluating the message is also unable to > > conclude that the DMARC mechanism failed and thereby apply the > > advertised DMARC policy. Rather, the Receiver can either skip DMARC > > > processing for this message due to incomplete evaluation, or it can > > > arrange to defer handling of the message in the hope that the > > temporary error will be resolved when the message is retried. When > > > otherwise appropriate due to DMARC policy, receivers MAY send > > feedback reports regarding temporary errors. > > > The problem is with: > > "If this is not the case and either or both of them suffered some > kind of temporary error (such as a transient DNS problem),...", > Specifically the use of "either or". If only one (SPF or DKIM) has a > transient DNS error then presumably the other, which has not had an > error, can be evaluated (resulting in a "pass" or "DMARC failure". It > only becomes an issue when BOTH SPF and DKIM have concurrent > temporary errors. I'm thinking that removing the "either or" is > appropriate. I'm still cogitating on the rest of the paragraph.
Good catch. This is complicated by there really being two conditions. The first is the negative that neither method authenticates. The second is the affirmative that one of them failed with a temporary error. So perhaps something like: FROM: > DMARC evaluation can only complete and yield a "pass" result when one > of the underlying authentication mechanisms passes for an aligned > identifier. If this is not the case and either or both of them > suffered some kind of temporary error (such as a transient DNS > problem), the Receiver evaluating the message is also unable to > conclude that the DMARC mechanism failed and thereby apply the > advertised DMARC policy. TO: DMARC evaluation can only complete and yield a "pass" result when one of the underlying authentication mechanisms passes for an aligned identifier. If neither passes and one or both of them failed due to a temporary error, the Receiver evaluating the message is also unable to conclude that the DMARC mechanism had a permanent failure and thereby can apply the advertised DMARC policy. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
