On 7/7/2012 3:05 PM, Franck Martin wrote:
On 7/7/12 12:54 PM, "Alan Maitland"<[email protected]> wrote:
On 7/7/2012 12:42 PM, Franck Martin wrote:
On Jul 7, 2012, at 11:09 AM, Alan Maitland wrote:
Franck,
Thank you for the additional and helpful data on flow. I am really glad
to have read your post and learned that I was incorrect.
That being the case, then it seems that DMARC really does ride on other
existing services like SPF rather than being a replacement. If so, then
fantastic news.
When someone on the list talked to not paying attention to valid SPF
-all constructs, the alarm bells started going off. Sorry if I
overreacted.
If for no other reason than just isolation for testing and debugging
purposes in environments employing other existing protocols, the p=none
construct makes a whole lot of sense.
I need to be a bit more pedantic here :P
I spoke of SPF tests, not of SPF policy
And this is the point we are discussing and which is unclear.
Currently as it is written, DMARC will override the SPF policy part, not
the test.
May be an example:
I really appreciate your willingness to take the time to create the
example, it helps a lot.
Example.com TXT "v=spf1 a:200.200.200.200 -all"
_dmarc.example.com TXT "v=DMARC1; p=none"
And you receive an email from 100.100.100.100
Mail From:<[email protected]>
From: [email protected]
No DKIM signature
The spf test fails. So DMARC does not even check the alignment with SPF.
p=none so DMARC passes the emails to other anti-spam filters
The SPF -all has been overridden by DMARC
But why? In the case above, you have a really clear and obvious case of
an SPF publisher who specifically says "we operate example.com, if you
receive a message claiming to be from example.com (in the Mail From:)
from someplace other than 200.200.200.200, because I published a -all,
you can presume it is absolutely trash, so waste no more time on it".
Of course, it is entirely up to a receiver to decide what they will do
with a message which hard fails so obviously, but to simply pass it
along, knowing it has failed such a basic SPF test seems entirely wrong
and wasteful of downstream resources ("other anti-spam filters").
However if you do p=reject, then you get exactly the behavior as spf -all
How about something like p=rejectonfail which might act as a p=none if
there is no failure or a soft fail while acting as a p=reject if there
is indeed a failure?
Now, coming from the IP 200.200.200.200 the email
Mail From:<[email protected]>
From: [email protected]
No DKIM signature
SPF tests passes, DMARC kicks in, but alignment is not assured, so DMARC
test fails
p=none the message is still passed to other anti-spam filters
I'm not sure that I have any serious issue with this behavior, because
the legitimate message from my domain is at least being passed along for
delivery and presumably if it is not spam, it gets delivered.
That said, if the From: example.net email address is in the DMARC mix,
perhaps there should be something like DNS TXT like "v=spf1
include:example.com -all" in example.net's host file if you going to
judge from the From in some way...
But if you had p=reject, this email valid in the policy realm of SPF would
be rejected by DMARC
I think that I can understand that, which is why I suggested something
like the p=rejectonfail idea.
This I think summarize currently the dilemma for people using spf -all
I may not be happy about it, but it makes sense to me now.
They can't use monitor mode, and they need to ensure alignment to get the
equivalent of spf -all with DMARC.
Now, currently there are about 4 implementations of DMARC on the receiving
side. I don't think any of these receiving sites have taken the SPF -all
seriously so far.
For instance, if you look at
http://spamassassin.apache.org/tests_3_3_x.html they don't categorize the
email as spam for a -all.
Looked at that page, though I'm not quite sure how best to read it.
Really, the problem is that -all says nothing about the content of the
message (e.g., the worst spammers on the planet could publish perfectly
good SPF records), but it does indicate that the domain sending is
authorized to send from a specific machine or set of machines and not
from others representing themselves as MAIL FROM: [email protected].
So I think practically today -all does not matter (a few test emails could
verify it), but it is not a reason to not improve the spec if needed.
For those interested in domain name reputation protection, it does
matter and there are quite a few SPF DNS TXT publishers out there.
Personally, I think we could benefit in clarifying the spec, that when
p=none for people that take the SPF -all seriously could reject the
message with a disposition of SPFALL, but I'm not sure practically it is
needed because I don't know who take the SPF -all seriously and to what
extent is this population. Anyone has information?
Agreed regarding the clarification on the spec. I pretty much assure
you that any legitimate SPF publisher is very serious about SPF -all as
meaning if it does not come from our published machines, it is not from
us - which is pretty much the driving reason for most domain holders who
publish an SPF DNS TXT record with the -all.
Perhaps my thought above might be useful in some way. Keep in mind, as
a legitimate SPF publisher, my goal is to stop all messages being sent
to others using domain names we hold which are being misused through
being associated with machines we do not control, thereby threatening
the reputation of the domain names we hold.
Again, Franck, thank you for your succinct and well presented example,
it really does make the discussion process much easier.
Best,
Alan
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
