On Tuesday, January 26, 2021 6:54:56 AM EST Alessandro Vesely wrote: > On Mon 25/Jan/2021 22:35:09 +0100 Scott Kitterman wrote: > > On Monday, January 25, 2021 4:04:33 PM EST Todd Herr wrote: > >> May I propose that the section labeled "SPF-Authenticated Identifiers" be > >> rewritten as follows: > >> > >> [...] > >> > >> The reader should note that SPF alignment checks in DMARC rely solely > >> on the RFC5321.MailFrom domain. This differs from section 2.3 of > >> [@!RFC7208], which recommends that SPF checks be done on not only the > >> "MAIL FROM" but also on a separate check of the "HELO" identity. > > > > > I think this is fine, but there is a subtlety to be aware of. > > > > If you look at RFC 7208 Section 2.4, when Mail From is null, > > postmaster@HELO is the mail from for SPF purposes. DMARC really can't > > change that. > > > > As a result, there are cases where Mail From results actually are derived > > from HELO and it's unavoidable. > > I doubt that SPF filters report envelope-from=postmaster@HELO; more likely > they write helo=HELO. In that case, the paragraph quoted above is > deceptive. > > I believe the proposed text is clear enough about not using separate HELO > > identity results and that's appropriate. > > My filter collects SPF results recorded from an upstream SPF filter. It > writes Received-SPF: lines for each identity. For NDNs, it writes a > Received-SPF: for the HELO identity only. Am I allowed to use that result > for DMARC?
No. You should only use Mail From results. Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
