On Thursday, January 22, 2015 17:41:46 Ned Freed wrote: > > >DMARC leverages the Mail From identity, so I don't see how independent > > >HELO checks can be relevant.> > > If you look at sections 2.3 and 2.4 of RFC 7208, a reasonable > > interpretation is that you check the HELO identity, and if you get a > > "definitive policy" result, you're done and return that to the caller. > > > > So a message comes from host mail.provider.com with From: > > [email protected]. The recipient host does an SPF check on > > mail.provider.com, it passes, so SPF is done. DMARC sees that the SPF > > domain isn't aligned so it ignores it, and DMARC says it's unaligned, > > even though an SPF check of customer.com might have passed. > > > > I can't say whether this is a bug in 7208 or a fundamental flaw in > > DMARC, but something is clearly wrong and this does not match what > > running code does. As things are written now, I don't see any way to > > demand that SPF look at the MAIL FROM if it likes the HELO. > > > > Fix 1: file an erratum on 7208 to say to switch the order, do the MAIL > > FROM check first and only do the HELO check otherwise. This may match > > some running code, I haven't looked. > > > > Fix 2: change 7208 to say that SPF can return multiple results. Ugh. > > Filing an erratum for purposes of documenting the issue is fine, but since > this is a substantive change to the protocol it far exceeds the scope of > what approval of an erratum is allowed to do. As such, I believe the best > outcome you can get here would be "held for document update".
Please don't. There's no error to document. Order was explicitly discussed during SPFbis and is not there by accident. Just because someone working on an unrelated ISE draft thinks it should have been different doesn't create an error. Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
