No. Sigh. Let's try it again. Yes, one might actually use a HELO result for DMARC. It gives you the same result as if mail from is null. So what?
No one has given us a case where an attacker could get a aligned SPF result based on HELO that they couldn't also get with mail from, so it doesn't matter. By problem, I mean an actual problem. There aren't any. Scott K On February 10, 2021 9:49:46 AM UTC, Alessandro Vesely <[email protected]> wrote: >Just to clarify: > > >On Wed 10/Feb/2021 05:19:38 +0100 Scott Kitterman wrote: >> No one has demonstrated that if someone has implemented SPF (RFC >7208) without >> worrying about DMARC that there are any associated problems for >DMARC. > > >I think I did. OpenDMARC, for example, seems to read a single result, >either >Authentication-Results: or Received-SPF:, assuming that it contains the >mfrom >identity unless empty. Note that it has an option to disable SPF >entirely, >presumably as a means to tackle non-DMARC oriented SPF filters. > >Google apparently works similarly. Given a valid helo and a neutral >mfrom, the >spf= clause of its (ARC-)Authentication-Results: only reports the >latter. That >is to say, you need a non-RFC7208 compliant SPF filter to instruct >DMARC. _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
