Which software? Toute connaissance est une réponse à une question.
On Jul 7, 2012, at 8:13 PM, "Scott Kitterman" <[email protected]> wrote: > > > Franck Martin <[email protected]> wrote: > >> >> >> On 7/7/12 12:54 PM, "Alan Maitland" <[email protected]> wrote: >> >>> On 7/7/2012 12:42 PM, Franck Martin wrote: >>>> >>>> On Jul 7, 2012, at 11:09 AM, Alan Maitland wrote: >>>> >>>>> >>> >>> Franck, >>> >>> Thank you for the additional and helpful data on flow. I am really >> glad >>> to have read your post and learned that I was incorrect. >>> >>> That being the case, then it seems that DMARC really does ride on >> other >>> existing services like SPF rather than being a replacement. If so, >> then >>> fantastic news. >>> >>> When someone on the list talked to not paying attention to valid SPF >>> -all constructs, the alarm bells started going off. Sorry if I >>> overreacted. >>> >>> If for no other reason than just isolation for testing and debugging >>> purposes in environments employing other existing protocols, the >> p=none >>> construct makes a whole lot of sense. >> >> >> I need to be a bit more pedantic here :P >> >> I spoke of SPF tests, not of SPF policy >> >> And this is the point we are discussing and which is unclear. >> >> Currently as it is written, DMARC will override the SPF policy part, >> not >> the test. >> >> May be an example: >> >> Example.com TXT "v=spf1 a:200.200.200.200 -all" >> _dmarc.example.com TXT "v=DMARC1; p=none" >> >> And you receive an email from 100.100.100.100 >> >> Mail From:<[email protected]> >> From: [email protected] >> No DKIM signature >> >> The spf test fails. So DMARC does not even check the alignment with >> SPF. >> p=none so DMARC passes the emails to other anti-spam filters >> >> The SPF -all has been overridden by DMARC >> >> However if you do p=reject, then you get exactly the behavior as spf >> -all >> >> Now, coming from the IP 200.200.200.200 the email >> Mail From:<[email protected]> >> From: [email protected] >> No DKIM signature >> >> >> SPF tests passes, DMARC kicks in, but alignment is not assured, so >> DMARC >> test fails >> p=none the message is still passed to other anti-spam filters >> >> But if you had p=reject, this email valid in the policy realm of SPF >> would >> be rejected by DMARC >> >> This I think summarize currently the dilemma for people using spf -all >> >> They can't use monitor mode, and they need to ensure alignment to get >> the >> equivalent of spf -all with DMARC. >> >> Now, currently there are about 4 implementations of DMARC on the >> receiving >> side. I don't think any of these receiving sites have taken the SPF >> -all >> seriously so far. >> >> For instance, if you look at >> http://spamassassin.apache.org/tests_3_3_x.html they don't categorize >> the >> email as spam for a -all. >> >> So I think practically today -all does not matter (a few test emails >> could >> verify it), but it is not a reason to not improve the spec if needed. >> >> Personally, I think we could benefit in clarifying the spec, that when >> p=none for people that take the SPF -all seriously could reject the >> message with a disposition of SPFALL, but I'm not sure practically it >> is >> needed because I don't know who take the SPF -all seriously and to what >> extent is this population. Anyone has information? > > I have distributed software that does this by default for half a decade. It's > been downloaded by thousands of people in addition to being available in the > package system for many Linux and BSD Unix distributions. No one has ever > complained. > > I know that lack of complaint isn't evidence of people not changing it, but > as a counterpoint I can tell you that there have been some issues with some > other choices I made (defer on temperror turns out to have more problems than > I expected) and I guarantee you I heard about it. > > I know large providers don't do reject on fail, but lots of small ones do. > > Scott K > > _______________________________________________ > dmarc-discuss mailing list > [email protected] > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well terms > (http://www.dmarc.org/note_well.html) _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
