On Tue 02/Feb/2021 18:49:08 +0100 John Levine wrote:
In article <[email protected]> you write:
My MTA adds an SPF clause in the A-R header whether or not there's a null
bounce address.
How can it report, say, fail for helo and pass for mfrom in just one clause?
It doesn't. It reports whatever the SPF library returns.
I'm fairly sure that every DMARC implementation uses an SPF library and uses
whatever the SPF library returns, so I don't see the point of this argument.
An SPF library implements the check_host() function. It's up to the client to
call it multiple times. Is that client DMARC-aware? As you may have guessed,
my question is intended to understand how does a DMARC implementation actually
ascertain whether an "spf=pass helo=smtp.example.com" is enough to validate
"From: [email protected]".
OTOH, properly implemented SPF verifiers could skip producing a Mail From
result if the helo identity was verified successfully.
No, they could not. That's not what the SPF spec says.
Sorry, that's not what the DMARC spec says.
My point is that the DMARC spec says something inconsistent, namely that SPF
helo results are reliable but typically they are not.
Once again, what problem are we solving here? Can we stop now?
We can stop now and get back on it later. That idiosyncrasy is going to stay
there until we fix it. I'd suggest to fix it by accepting an aligned helo pass
unconditionally. However, it can also be fixed by an explanation, as long as
it is something more persuasive than "one can type anything at helo".
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
