Franck Martin <[email protected]> wrote:
> > >On 7/7/12 12:54 PM, "Alan Maitland" <[email protected]> wrote: > >>On 7/7/2012 12:42 PM, Franck Martin wrote: >>> >>> On Jul 7, 2012, at 11:09 AM, Alan Maitland wrote: >>> >>>> >> >>Franck, >> >>Thank you for the additional and helpful data on flow. I am really >glad >>to have read your post and learned that I was incorrect. >> >>That being the case, then it seems that DMARC really does ride on >other >>existing services like SPF rather than being a replacement. If so, >then >>fantastic news. >> >>When someone on the list talked to not paying attention to valid SPF >>-all constructs, the alarm bells started going off. Sorry if I >>overreacted. >> >>If for no other reason than just isolation for testing and debugging >>purposes in environments employing other existing protocols, the >p=none >>construct makes a whole lot of sense. > > >I need to be a bit more pedantic here :P > >I spoke of SPF tests, not of SPF policy > >And this is the point we are discussing and which is unclear. > >Currently as it is written, DMARC will override the SPF policy part, >not >the test. > >May be an example: > >Example.com TXT "v=spf1 a:200.200.200.200 -all" >_dmarc.example.com TXT "v=DMARC1; p=none" > >And you receive an email from 100.100.100.100 > >Mail From:<[email protected]> >From: [email protected] >No DKIM signature > >The spf test fails. So DMARC does not even check the alignment with >SPF. >p=none so DMARC passes the emails to other anti-spam filters > >The SPF -all has been overridden by DMARC > >However if you do p=reject, then you get exactly the behavior as spf >-all > >Now, coming from the IP 200.200.200.200 the email >Mail From:<[email protected]> >From: [email protected] >No DKIM signature > > >SPF tests passes, DMARC kicks in, but alignment is not assured, so >DMARC >test fails >p=none the message is still passed to other anti-spam filters > >But if you had p=reject, this email valid in the policy realm of SPF >would >be rejected by DMARC > >This I think summarize currently the dilemma for people using spf -all > >They can't use monitor mode, and they need to ensure alignment to get >the >equivalent of spf -all with DMARC. > >Now, currently there are about 4 implementations of DMARC on the >receiving >side. I don't think any of these receiving sites have taken the SPF >-all >seriously so far. > >For instance, if you look at >http://spamassassin.apache.org/tests_3_3_x.html they don't categorize >the >email as spam for a -all. > >So I think practically today -all does not matter (a few test emails >could >verify it), but it is not a reason to not improve the spec if needed. > >Personally, I think we could benefit in clarifying the spec, that when >p=none for people that take the SPF -all seriously could reject the >message with a disposition of SPFALL, but I'm not sure practically it >is >needed because I don't know who take the SPF -all seriously and to what >extent is this population. Anyone has information? I have distributed software that does this by default for half a decade. It's been downloaded by thousands of people in addition to being available in the package system for many Linux and BSD Unix distributions. No one has ever complained. I know that lack of complaint isn't evidence of people not changing it, but as a counterpoint I can tell you that there have been some issues with some other choices I made (defer on temperror turns out to have more problems than I expected) and I guarantee you I heard about it. I know large providers don't do reject on fail, but lots of small ones do. Scott K _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
