J., 1. Yes, you are correct. 2. Yes, you are correct...the message will be rejected. 3. Yes...if your envelope-from domain has no SPF record, that is considered an SPF-fail for DMARC purposes. 4. Yes, you are correct: all unsigned messages lacking an SPF record for the envelope-from domain will be rejected based on your DMARC record of "v=DMARC1;p=reject" UNLESS the receiving ISP decides to override your policy.
I hope this helps! John Wilson On Mon, Mar 25, 2013 at 4:38 PM, J. Gomez <[email protected]> wrote: > Hello all. > > After learning about DMARC and reading the draft specification, I have > some questions still lingering in my head: > > --- > > Question 1: If I publish "v=spf1 a:mail.example.com -all" for my domain " > example.com", for which I am not using DKIM signing, and then I also > publish "v=DMARC1;p=reject" for my domain "example.com", and then I send > an email without any DKIM signature with Header-From: [email protected] and > ENVELOPE-FROM: [email protected], sent from my MTA at "mail.example.com", > will that email be DMARC-authenticated? My guess is YES. Am I correct? > > My guess is based on: > "A Mail Receiver MUST consider an arriving message to pass the DMARC > test if and only if one or more of the underlying message > authentication mechanisms pass with proper identifier alignment." > (section 5) > and on: > "DMARC will not make a distinction between absence of DKIM > signature and failed DKIM signature." (section 3.5) > > --- > > Question 2: If I publish "v=spf1 a:mail.example.com ?all" for my domain " > example.com", for which I am not using DKIM signing, and then I also > publish "v=DMARC1;p=reject" for my domain "example.com", and then I send > an email without any DKIM signature with Header-From: [email protected] and > ENVELOPE-FROM: [email protected], sent from the MTA "mail.convoluted.com" > (where "mail.convoluted.com" -> ip4:1.1.1.1 and where "mail.example.com" > -> ip4:2.2.2.2), will that email be rejected as per DMARC-policy? My guess > is YES (which would mean DMARC-policy is overriding SPF-policy). Am I > correct? > > My guess is based on: > "Message disposition requests via DMARC override those requested > by any other public mechanism." (section 3.4, Requirement 7) > and on: > "DMARC-compliant Mail Receivers MUST disregard any mail directive > discovered as part of an authentication mechanism (e.g., ADSP, SPF) > where a DMARC policy is also discovered. {R7}" (section 7) > > --- > > Question 3: the absence of a SPF resource record in DNS for a domain, > would it mean SPF-mechanism-authentication fail in DMARC for all email sent > from that domain? > > --- > Question 4: If domain "example.com" does not have a SPF resource record > in DNS, and does not sign with DKIM its outgoing email, and then the domain > owner publishes v=DMARC1;p=reject" for his domain "example.com", will > outgoing email without any DKIM signature with Header-From: [email protected] > ENVELOPE-FROM: > [email protected] be rejected as per DMARC-policy? My guess is YES. Am I > correct? > > My guess here is based on wild speculation. > > (Note: I know publishing a DMARC RR in DNS without having a previous SPF > RR en DNS and/or DKIM signing on outgoing email is against recommended > practice in the DMARC draft specification, but it's something which > nonetheless could happen in the real world and I want to know the outcome > in that scenario.) > > --- > > After scouring the DMARC draft specification I could not find any > conclusive answer to question 3 above. The closest I could find about that > are these excerpts: > > "Messages that purport to be from a Domain Owner's > domain and arrive from servers that are not authorized by SPF and do > not contain an appropriate DKIM signature can be affected by DMARC > policies." (section 4.1) > > "A Domain Owner that does not advertise an SPF policy or sign with > DKIM is making an implicit statement that the use cases those > protocols satisfy are not to be considered when determining whether > or not the message under evaluation is valid. For example, not > publishing an SPF policy is an implicit message from Domain Owners to > Mail Receivers that successful path authorization is not to be taken > as sufficient evidence that the Domain Owner authorized the message." > (section 5) > > Which I have a hard time parsing down to whether SPF-absence means > SPF-mechanism-authentication fail in DMARC, o not. > > --- > > Any help with answering those questions would be much appreciated. > > > Regards, > > -J. Gomez > > > _______________________________________________ > dmarc-discuss mailing list > [email protected] > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) >
_______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
