On Tue, 20 Jan 2015 16:14:32 CST, Franck Martin <[email protected]> wrote:
> [...] > Your confusion on HELO is may be related to the fact that the > HELO string is only used when the MAIL-FROM: is empty? > > There is some text here: > http://trac.tools.ietf.org/html/rfc7208#section-10.1.3 > > The HELO string is not evaluated all the time, it is more like > a fall back. It's already been pointed out that http://trac.tools.ietf.org/html/rfc7208#section-2.3 RECOMMENDs checking the HELO string first; hence our confusion. It'a not difficult to imagine a HELO string that passes SPF but doesn't align with the RFC5322.From with a MAIL FROM domain that passes SPF *and* aligns, while the DKIM-Signature validates but doesn't align. An implementation of DMARC that follows the SPF recommendation will, as I understand it, produce [SPF:fail, DKIM:fail], despite the existence of an SPF-valid MAIL FROM domain that aligns with the RFC5322.From domain. It seems to be the consensus that this would be wrong, and that existing DMARC implementations don't behave that way. That's fine by me, but it needs to be said out loud that DMARC implementations MUST NOT (SHOULD NOT?) follow rfc7208#section-2.3's recommendation. > Also I have trouble to understand why you may be affected by > your OD? What is the relation between your domain and your OD? > I suspect this is concordia.ca? Yes, it's Concordia.ca. Some details: Concordia.ca is Concordia University, while encs.concordia.ca is just the Faculty of Engineering and Computer Science at Concordia, so it's appropriate that concordia.ca is the OD. They've delegated encs.concordia.ca to us, and we (ENCS staff) manage it ourselves, with minimal interaction. > If you look at the public suffix list, google has put a > separation at blogspot.com level, so that each hosting domain, > can be organizationally separated. > > https://publicsuffix.org/list/effective_tld_names.dat Are you saying that any owner of a registered domain can arrange to the suffix list on request, thereby allowing next-level subdomains to be elevated to ODs? If that's right, I'd certainly be keen on suggesting to our concordia.ca colleagues that they do us that favour. > I would suggest you publish a DMARC record in monitoring mode > (p=none) so that you get reports (and no impact) and better > understand your email infrastructure and what needs to be done. We'll certainly publish a DMARC record with p=none. Thanks, MJA _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
