On Sunday, March 31, 2013 1:38 AM [GMT+1=CET],Alan Maitland wrote: > Specifically, has the following case been decided as the currently > understood correct behavior for DMARC? > > Case of SPF "v=spf1 -all" > 1) A domain owner publishes a "v=spf1 -all" DNS TXT RR for their > domain (indicating that their domain should absolutely never send > email). 2) Then an MTA sender purports that the domain is sending > messages (because the sender issues a message envelope MAIL FROM: > header claiming > to be the domain name claiming not to be a sender). > 3) The receiver then presumes it to be 100% spam (at least apparently > as > far as the domain holder is concerned) and will not deliver the > message > to the RCPT TO: - even when the DMARC p=reject is set. > > Again, if yes, fantastic. Because it is entirely reasonable to believe > if there was ever a time to trust what a domain holder says, it is > when they say "drop all messages from this domain, because if you ever do > get messages from this domain while our published SPF record for this > domain reflects 'v=spf1 -all', those messages are 100% bogus and should never > get delivered to their target RCPT TO recipients.".
Well, according to the current draft specification of DMARC, you need a fail BOTH in the SPF mechanism and in the DKIM mechanism to get a DMARC-fail result. So if you publish "v=spf1 -all" in your SPF DNS RR for your domain "example.com" but then you do send email with RFC5321.MailFrom of [email protected] and a RFC5322.From header of [email protected] with a valid DKIM signature which is in alignment with the RFC5322.From header, that email deserves a DMARC-pass. Period. However, DMARC is in a layer above SPF and DKIM. I would expect that the SPF processing itself, before the DMARC processing even kicks in, would reject that message. But then again, that would be site specific I guess: some sites may implement SPF only inside the DMARC processing realm, and some sites may implement full SPF checking by itself first and then do DMARC processing with whatever survices the SPF checking. Regards, J. Gomez _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
