Hello all. After learning about DMARC and reading the draft specification, I have some questions still lingering in my head:
--- Question 1: If I publish "v=spf1 a:mail.example.com -all" for my domain "example.com", for which I am not using DKIM signing, and then I also publish "v=DMARC1;p=reject" for my domain "example.com", and then I send an email without any DKIM signature with Header-From: [email protected] and ENVELOPE-FROM: [email protected], sent from my MTA at "mail.example.com", will that email be DMARC-authenticated? My guess is YES. Am I correct? My guess is based on: "A Mail Receiver MUST consider an arriving message to pass the DMARC test if and only if one or more of the underlying message authentication mechanisms pass with proper identifier alignment." (section 5) and on: "DMARC will not make a distinction between absence of DKIM signature and failed DKIM signature." (section 3.5) --- Question 2: If I publish "v=spf1 a:mail.example.com ?all" for my domain "example.com", for which I am not using DKIM signing, and then I also publish "v=DMARC1;p=reject" for my domain "example.com", and then I send an email without any DKIM signature with Header-From: [email protected] and ENVELOPE-FROM: [email protected], sent from the MTA "mail.convoluted.com" (where "mail.convoluted.com" -> ip4:1.1.1.1 and where "mail.example.com" -> ip4:2.2.2.2), will that email be rejected as per DMARC-policy? My guess is YES (which would mean DMARC-policy is overriding SPF-policy). Am I correct? My guess is based on: "Message disposition requests via DMARC override those requested by any other public mechanism." (section 3.4, Requirement 7) and on: "DMARC-compliant Mail Receivers MUST disregard any mail directive discovered as part of an authentication mechanism (e.g., ADSP, SPF) where a DMARC policy is also discovered. {R7}" (section 7) --- Question 3: the absence of a SPF resource record in DNS for a domain, would it mean SPF-mechanism-authentication fail in DMARC for all email sent from that domain? --- Question 4: If domain "example.com" does not have a SPF resource record in DNS, and does not sign with DKIM its outgoing email, and then the domain owner publishes v=DMARC1;p=reject" for his domain "example.com", will outgoing email without any DKIM signature with Header-From: [email protected] and ENVELOPE-FROM: [email protected] be rejected as per DMARC-policy? My guess is YES. Am I correct? My guess here is based on wild speculation. (Note: I know publishing a DMARC RR in DNS without having a previous SPF RR en DNS and/or DKIM signing on outgoing email is against recommended practice in the DMARC draft specification, but it's something which nonetheless could happen in the real world and I want to know the outcome in that scenario.) --- After scouring the DMARC draft specification I could not find any conclusive answer to question 3 above. The closest I could find about that are these excerpts: "Messages that purport to be from a Domain Owner's domain and arrive from servers that are not authorized by SPF and do not contain an appropriate DKIM signature can be affected by DMARC policies." (section 4.1) "A Domain Owner that does not advertise an SPF policy or sign with DKIM is making an implicit statement that the use cases those protocols satisfy are not to be considered when determining whether or not the message under evaluation is valid. For example, not publishing an SPF policy is an implicit message from Domain Owners to Mail Receivers that successful path authorization is not to be taken as sufficient evidence that the Domain Owner authorized the message." (section 5) Which I have a hard time parsing down to whether SPF-absence means SPF-mechanism-authentication fail in DMARC, o not. --- Any help with answering those questions would be much appreciated. Regards, -J. Gomez _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
