On 7/7/12 12:54 PM, "Alan Maitland" <[email protected]> wrote:
>On 7/7/2012 12:42 PM, Franck Martin wrote: >> >> On Jul 7, 2012, at 11:09 AM, Alan Maitland wrote: >> >>> > >Franck, > >Thank you for the additional and helpful data on flow. I am really glad >to have read your post and learned that I was incorrect. > >That being the case, then it seems that DMARC really does ride on other >existing services like SPF rather than being a replacement. If so, then >fantastic news. > >When someone on the list talked to not paying attention to valid SPF >-all constructs, the alarm bells started going off. Sorry if I >overreacted. > >If for no other reason than just isolation for testing and debugging >purposes in environments employing other existing protocols, the p=none >construct makes a whole lot of sense. I need to be a bit more pedantic here :P I spoke of SPF tests, not of SPF policy And this is the point we are discussing and which is unclear. Currently as it is written, DMARC will override the SPF policy part, not the test. May be an example: Example.com TXT "v=spf1 a:200.200.200.200 -all" _dmarc.example.com TXT "v=DMARC1; p=none" And you receive an email from 100.100.100.100 Mail From:<[email protected]> From: [email protected] No DKIM signature The spf test fails. So DMARC does not even check the alignment with SPF. p=none so DMARC passes the emails to other anti-spam filters The SPF -all has been overridden by DMARC However if you do p=reject, then you get exactly the behavior as spf -all Now, coming from the IP 200.200.200.200 the email Mail From:<[email protected]> From: [email protected] No DKIM signature SPF tests passes, DMARC kicks in, but alignment is not assured, so DMARC test fails p=none the message is still passed to other anti-spam filters But if you had p=reject, this email valid in the policy realm of SPF would be rejected by DMARC This I think summarize currently the dilemma for people using spf -all They can't use monitor mode, and they need to ensure alignment to get the equivalent of spf -all with DMARC. Now, currently there are about 4 implementations of DMARC on the receiving side. I don't think any of these receiving sites have taken the SPF -all seriously so far. For instance, if you look at http://spamassassin.apache.org/tests_3_3_x.html they don't categorize the email as spam for a -all. So I think practically today -all does not matter (a few test emails could verify it), but it is not a reason to not improve the spec if needed. Personally, I think we could benefit in clarifying the spec, that when p=none for people that take the SPF -all seriously could reject the message with a disposition of SPFALL, but I'm not sure practically it is needed because I don't know who take the SPF -all seriously and to what extent is this population. Anyone has information? _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
