+1 for what MSK says. DMARC is really just evaluating the pass/fail returned from the SPF and DKIM checks and comparing against the RFC5322.From header to produce a pass or fail. DMARC really has no logic relating to the underlying auth protocols, other than specifying "alignment" for messages based on aforementioned header.
------------------------------ > > Message: 5 > Date: Tue, 19 Mar 2013 21:08:23 -0400 > From: Scott Kitterman <[email protected]> > To: "[email protected]" <[email protected]> > Subject: Re: [dmarc-discuss] SRS and Identifier Alignments > Message-ID: <[email protected]> > Content-Type: text/plain; charset=UTF-8 > > > > Murray Kucherawy <[email protected]> wrote: > > >On 3/19/13 4:33 PM, "Scott Kitterman" <[email protected]> wrote: > >>On Tuesday, March 19, 2013 06:21:34 PM [email protected] wrote: > >>> How should DMARC consider SPF Alignments when a message has been > >>>forwarded > >>> with SRS >from: <[email protected]> > >>> > >>> >return path: <[email protected]> > >If > >>> > >>> this wasn't SRS forwarded, this will normally be in Strict > >Alignment, > >>> since it's been forwarded with SRS, does that break the alignment or > >is > >>>it > >>> unwound to be in strict alignment again? > >> > >>It's not unwound, but it doesn't matter. If you consider SRS, unwind > >it, > >>and > >>use the original domain, SPF itself will fail, so you'll be aligned, > >but > >>with > >>SPF fail. No luck there. With SRS, you end up with SPF pass, but > >>unaligned. > >>No luck for DMARC there. > > > >The only thing I can think of is an SPF module that also evaluates SRS > >and, if SRS passes, reports that the SRS domain (the original) is the > >one > >SPF verified, and not the one in the MAIL FROM of the arriving message. > >There's experimental precedent for this kind of thing; see Section 6 of > >RFC6541. > > > >So it really depends on how your SPF/SRS (and DKIM) implementations > >report > >results to the DMARC implementation. > > Although if you trust the remote host enough to believe it's not lieing > about using SRS, you probably trust it enough not to worry about DMARC > verification. > > Scott K > > > ------------------------------ > > _______________________________________________ > dmarc-discuss mailing list > [email protected] > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) > > > > End of dmarc-discuss Digest, Vol 15, Issue 14 > ********************************************* > -- Regards Andy
_______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
