On Thu, Jul 15, 2021 at 08:12:39AM -0400, post...@ptld.com wrote: > Was SPF looking up records for raf.org or for cloud9.net? I see both of > those domains have published SPF records so why was SPF "None"? > Why did DMARC reject this even though it didn't fail either check?
Here's my attempt at an explanation: SPF by itself would have checked the envelope address (owner-postfix-us...@postfix.org), but DMARC's reinterpretation of SPF is not the same as actual SPF. It checks the From: address (@raf.org) instead of the envelope address (@postfix.org). That's why the DMARC+SPF check failed (even though a plain SPF check (which didn't happen) would have passed). The From: address's SPF record did not include the IP addresses used by @postfix.org to send emails. [Actually, I have added them but that's just me being silly, and I'm assuming they weren't correctly in place at the time.] Similarly, DMARC's reinterpretation of DKIM is not the same as actual DKIM. DMARC+DKIM requires that the DKIM d= domain matches the From: header. Plain DKIM by itself doesn't require that. Someone on this list has implied that there needs to be both a DMARC+DKIM pass *and* a DMARC+SPF pass in order for DMARC to pass. Another (in this thread) has said that there only needs to be a DMARC+DKIM pass *or* a DMARC+SPF pass in order for DMARC to pass. I'm not sure which is correct (until I read the RFC myself). Whichever is correct, that email resulted in a DMARC failure because there was a DMARC+SPF failure and no DKIM at all so that's a DMARC+DKIM failure. This is even though a plain SPF check would have passed, and a plain DKIM check would never have taken place (and so wouldn't pass or fail). cheers, raf
