On December 29, 2014 3:15:26 PM EST, "MH Michael Hammer (5304)" <[email protected]> wrote: >Still not quite correct... > >> -----Original Message----- >> From: dmarc [mailto:[email protected]] On Behalf Of Dave Crocker >> Sent: Monday, December 29, 2014 2:32 PM >> To: Scott Kitterman; [email protected] >> Subject: Re: [dmarc-ietf] Jim Fenton's review of -04 >> >> On 12/29/2014 10:40 AM, Scott Kitterman wrote: >> TO: >> >> > >> DMARC evaluation can only complete and yield a "pass" result when one >of >> the underlying authentication mechanisms passes for an aligned >identifier. If >> neither passes and one or both of them failed due to >> >> >a >> temporary error, the Receiver evaluating the message is also unable >> >> >to >> conclude that the DMARC mechanism had a permanent failure and thereby >> can apply the advertised DMARC policy. >> >> > >> >> >This looks good to me. >> > Shouldn't it be cannot apply the advertised DMARC policy? >> >> Actually, no, but I also was confused. It took me some serious >effort to >> decide that the current wording was correct. And a spec should not >require >> that sort of linguistic diligence, IMO. >> >> Looks like a small change can make your form correct... >> >> So I suggest: >> >> DMARC evaluation can only yield a "pass" result after one of the >> underlying authentication mechanisms passes for an aligned >identifier. If >> neither passes and one or both of them fails due to a temporary >error, the >> Receiver evaluating the message is unable to conclude that the DMARC >> mechanism had a permanent failure; they therefore cannot (yet) apply >the >> advertised DMARC policy. >> >> d/ >> -- > >If neither of them passes and only one of them fails due to a temporary >error (but the other one does not fail due to a temporary error) then >the other one should (must?, not in the normative sense) be an actual >failure. Perhaps the wording should be: "If neither SPF nor DKIM pass >and both of them fail due to temporary errors...". The case we seem to >be discussing is where we have temporary failures for both SPF and >DKIM.
No. As long as either of them have a temporary DNS error, then you can't apply DMARC policy. >The other issue (more than a quibble) I have is leaving it at "; they >therefore cannot (yet) apply the advertised DMARC policy." What should >they do? I prefer the treat it as a tempfail and allow for retries. The >problem with that approach is if the mail has been accepted for >delivery. I don't like the idea of DSNs or out of band bounces. I think the only two reasonable choices are defer and see what happens on retry or to treat it as DMARC none and press on with other checks. Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
