Just to clarify:
On Wed 10/Feb/2021 05:19:38 +0100 Scott Kitterman wrote:
No one has demonstrated that if someone has implemented SPF (RFC 7208) without
worrying about DMARC that there are any associated problems for DMARC.
I think I did. OpenDMARC, for example, seems to read a single result, either
Authentication-Results: or Received-SPF:, assuming that it contains the mfrom
identity unless empty. Note that it has an option to disable SPF entirely,
presumably as a means to tackle non-DMARC oriented SPF filters.
Google apparently works similarly. Given a valid helo and a neutral mfrom, the
spf= clause of its (ARC-)Authentication-Results: only reports the latter. That
is to say, you need a non-RFC7208 compliant SPF filter to instruct DMARC.
On Tuesday, February 9, 2021 10:13:37 PM EST Douglas Foster wrote:
[...]
My interest is interoperability: We want recipient requirements and
sender compliance measures to align.
RFC 7208 says that recipients MAY want to use SPF HELO and SPF MAILFROM
together. An argument can be made that this is not necessary: SPF
MAILFROM shows that the server is authorized to send messages for the
specific domain in the MAILFROM, while SPF HELO says only that the server
is authorized to send message for the server domain and an unknowable set
of other domains.
What unknowable set of other domains? If the server has an SPF record, it
presumably authorizes just its IP address(es).
Todd's assertion is that SPF HELO will cause an excessive number of false
positives.
I'd let Todd speak for himself, but I never saw that assertion. Todd said the
set of messages that would get a different DMARC status in case we linearize
the spec is immeasurable —which I believe is true, and a valid basis to carry
out the linearization without fear of disruption.
A second assumption is that no significant recipients are evaluating SPF
MAILFROM and SPF HELO together in a way that would be of interest to
senders. This may also be true, but I don't think this is something that
can be tested.
It makes no sense to require both values to pass simultaneously.
Linearization would be that *any* validated identifier, as long as it's
aligned, produces a DMARC pass.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
