Re: [dmarc-ietf] Ticket #1 - SPF alignment

Wed, 27 Jan 2021 01:49:20 -0800 

On Tue 26/Jan/2021 23:36:19 +0100 Scott Kitterman wrote:

On Tuesday, January 26, 2021 11:47:51 AM EST Alessandro Vesely wrote:

On Tue 26/Jan/2021 14:14:45 +0100 Scott Kitterman wrote:

On Tuesday, January 26, 2021 6:54:56 AM EST Alessandro Vesely wrote:



I doubt that SPF filters report envelope-from=postmaster@HELO; more 
likely they write helo=HELO.  In that case, the paragraph quoted above

is deceptive. >>>>

I believe the proposed text is clear enough about not using
separate HELO identity results and that's appropriate. >>>>

My filter collects SPF results recorded from an upstream SPF filter.
It writes Received-SPF: lines for each identity.  For NDNs, it writes

a Received-SPF: for the HELO identity only.  Am I allowed to use that 
result for DMARC? >>>

No.  You should only use Mail From results.


So NDNs having only an aligned HELO will never pass DMARC?

And what is a <scope>helo</scope> element in aggregate reports provided for?

The spec says:

          [SPF] can authenticate either the domain that appears in the
    RFC5321.MailFrom (MAIL FROM) portion of [SMTP] or the RFC5321.EHLO/
    HELO domain, or both.

And then:

    In relaxed mode, the [SPF]-authenticated domain and RFC5322.From
    domain must have the same Organizational Domain.  In strict mode,
    only an exact DNS domain match is considered to produce Identifier
    Alignment.

So, consider the following message without DKIM signatures:

HELO example.org
MAIL FROM:<[email protected]>

Received-SPF: pass (domain example.org
   designates 192.0.2.1 as permitted sender)
   identity=helo; helo=example.org;
Received-SPF: fail (domain of [email protected]
   denies 192.0.2.1 as permitted sender)
   identity=mailfrom; envelope-from="[email protected]";
Subject: Not using a mail client for this example
From: [email protected]

Does it pass DMARC?


No.




Let's not be silly, Scott.  We have example.org as the SPF-authenticated domain 
and it is aligned with From:.  Are you saying that the message would pass if it 
had an empty bounce address, but since it can bounce it does not pass?!?



Best
Ale
--






















_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc























					Reply via email to