On Sunday, March 31, 2013 11:45 PM [GMT+1=CET],Steve Atkins wrote: > On Mar 31, 2013, at 2:32 PM, "J. Gomez" <[email protected]> wrote: > > > My suggestion of a "SoftFail" result for DMARC would happen when > > both SPF-by-itself passed AND DKIM-by-itself passed, AND when > > neither is aligned with the RFC5322.From header organizational > > domain. This suggested DMARC "SoftFail" would only be searched for > > by the receiver if a DMARC "Fail" has previously been found, i.e. > > if a DMARC "Pass" has previously been found then all DMARC > > processing (including searching for this suggested DMARC "SoftFail" > > condition) should end. Also, this suggested DMARC "SoftFail" > > processing would only take place if the suggested optional second > > policy for DMARC has been explicitly declared by the domain owner > > AND is different from the mandatory DMARC first policy. This > > suggested DMARC "SoftFail" result is to accommodate for mailing > > lists in the DMARC specification. > > > > (Additionally, it would be interesting to requiere that in this > > suggested "SoftFail" result for DMARC, the RFC5322.From header had > > to be part of the DKIM-signed headers in the email, even if its > > organizational domain was not aligned with the "d=" domain in the > > DKIM signature.) > > > > Obviously, to get SPF-by-itself to pass AND DKIM-by-itself to pass, > > DNS records for both have to be fine and dandy. So I don't > > understand your comments about DNS being screwed up. > > Regards, > > The main point of DMARC is to make decisions based on the content of > the From: header. If you're not looking at the From header, you're > outside the scope of DMARC. > > As far as defending against hostile attackers is concerned you've > raised the bar solely to requiring them to have a domain name, or > having access to a smarthost with a domain name. That's a low enough > bar as to be pretty much useless.
Well, if you would think it was useless, then you would not opt into the optional second policy for SoftFail and stay with the default of only declaring the mandatory first policy for Fail in DMARC. This way, you are not lowering any bar whatsoever, if you feel you have no need to do it. Regards, J. Gomez _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
