>The way i read the specification .... >Either SPF or DKIM has to align, then the Test passes.
This is right. But IMHO it makes no sense. If any of the SPF or DKIM alignment fails - or any of both ASSP SPF/DKIM checks fails - ASSP's DMARC-check will fail.This is the current ASSP-implementation. >Final disposition of a message is always a matter of local policy. Call it "the ASSP local policy" - both have to match/align. Is there any good reason why a mail from a BAD sender (by the SPF record of the mail domain) should consider to pass, if DKIM is OK. or Is there any good reason why a mail from a BAD sender (by the DKIM records of the mail domain) should consider to pass, if SPF is OK. The DMARC check in ASSP is an additionally spam protection check based on the assumption, that nobody who published a SPF-record and DKIM-records (_adsp) and a DMARC-record, will send mails which breaks this rules. Even if our final blocking/pass rule is not 100% RFC conform - the DMARC-reports are correct. Let's see if this implementation will lead in to false positives (blocked good mails). I think it will not and currently I've got not a single related report form ~700 installations using the new code. How ever - this issue is added to my watchlist. Thomas Von: fr...@web.de An: assp-test@lists.sourceforge.net Datum: 16.10.2018 13:28 Betreff: Re: [Assp-test] DMARC Alignment I think with the new version, DMARC alignment checks are still implemented wrong: Now I get a DMARC fail, when there is a SPF entry that aligns and no DKIM signature. The way i read the specification (and the way the dmarc module produces results) is: Either SPF or DKIM has to align, then the Test passes. The dmarc module even passes the check if for example SPF passes and aligns and dkim fails. But I'm not 100% sure if thats the correct way. From: https://tools.ietf.org/html/rfc7489#section-6.6.2 5. Conduct Identifier Alignment checks. With authentication checks and policy discovery performed, the Mail Receiver checks to see if Authenticated Identifiers fall into alignment as described in Section 3. If one or more of the Authenticated Identifiers align with the RFC5322.From domain, the message is considered to pass the DMARC mechanism check... ... DMARC evaluation can only yield a "pass" result after one of the underlying authentication mechanisms passes for an aligned identifier... ... Final disposition of a message is always a matter of local policy. An operator that wishes to favor DMARC policy over SPF policy, for example, will disregard the SPF policy, since enacting an SPF-determined rejection prevents evaluation of DKIM; DKIM might otherwise pass, satisfying the DMARC evaluation. ... Gesendet: Mittwoch, 03. Oktober 2018 um 11:30 Uhr Von: "Thomas Eckardt" <thomas.ecka...@thockar.com> An: "ASSP development mailing list" <assp-test@lists.sourceforge.net> Betreff: Re: [Assp-test] DMARC Alignment >Does ASSP actually check alignment when using DMARC? Currently only fo 'adkim'. The 'aspf' alignment check will be implemented in a later release. >There also exists a DMARC module for perl. One could probably use that (we're already using modules for DKIM and SPF, so why not)._______________________________________________ DMARC is implemented in ASSP V2 since 2012, the first trial version of Mail::DMARC was published in 2013. I don't have the time to rewrite the complete ASSP DMARC code only to use this module and maybe to have some small improvements (e.g. send reports using http). At the end, using this module would be problematic because it is unable to adopt authentication results from ARC-signatures and other authentication headers. Thomas Von: fr...@web.de An: assp-test@lists.sourceforge.net Datum: 02.10.2018 12:34 Betreff: [Assp-test] DMARC Alignment Does ASSP actually check alignment when using DMARC? I've sent a mail through ASSP with an obvious fake header "From:". The (header) domain has a DMARC entry, ASSP reports "DMARC pass". If this was checked like the specification asks us to, it should not pass. I've looked inside the code shortly and did not find anything that points in the direction of alignment checking. Is this a desired behaviour so we don't get too many false positives? If that's the case I think it would be nice to have an option for the user to enable alignment checks. There also exists a DMARC module for perl. One could probably use that (we're already using modules for DKIM and SPF, so why not)._______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *******************************************************
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test