On 16/11/2023 18:47, Matus UHLAR - fantomas wrote:
Keeping header From: and DKIM signatures is perfectly fine, if ML
does not modify the mail, which afaik is the default setting.
On 21.11.23 12:06, Noel Butler wrote:
This also depends on how you set DKIM's canonicalization
this is a (known) problem of DKIM and playing with DMARC will not solve it.
Anyone using simple/simple should have a DKIM fail and plenty use that
setting, prior to July this year - when I was using this address on
file with Federal Law Enforcement agencies for receiving shall we say
certain formal requests ;) I used fully strict with simple/simple - as
earlier posts on this list would show
I agree that DKIM designers messed this up quite much.
But again, we are here talking about DMARC.
I believe the issue lies in bad formulation of condition for fo:
1: Generate a DMARC failure report if any underlying
authentication mechanism produced something other than an
aligned "pass" result.
I've never had an fo=1 SPF failure report, because DKIM would pass,
Do you think the part of RFC as different meaning as I described?
Or do people/SW simply ignore the "fo=1" setting when DKIM passes and don't
report unaligned SPF, thus ignore it?
...I understand this as SPF unaligned with header From: should be
reported for domain in header From:.
SPF should only check and report on envelope-sender/return-path, if
and only if that does not exist it should use the EHLO domain, it
should not care about From, last time I looked - a decade or so ago -
it never did, but lets try something...
"aligned" in the DMARC meaning that envelope from: and header from: is the
same. If it's not the same, it's called "unaligned".
Unaligned SPF is not important if the DKIM passes.
The problem I see is that with "fo=1" it should be reported, even if
everything is okay.
It makes sense to report missing/unaligned DKIM.
Then set fo=d :)
with "fo=d" SPF failure is not to be reported, only invalid DKIM.
with "fo=s" SPF failure is to be reported, not DKIM
with "fo=1" DKIM failure is reported, but also unaligned SPF pass.
Generally that means, that with "fo=1" not only failures, but even successes
would be reported, if the SPF is not aligned.
Perhaps this could be avoided by using "fo=d; fo=s;" in DMARC record, which
I'm not sure if correct (quick
Perhaps RFC 7489 needs clarification of what exactly needs to be reported
and what not.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
You have the right to remain silent. Anything you say will be misquoted,
then used against you.