On 08/15/2013 10:47 AM, Leith Bade wrote:
Just noticed this entire thread was sent to spam on my Google Apps
account.
Now analyzing the headers, Google detects agari.com <http://agari.com>
with a DMARC failure and a policy of none, so should have stuck at
least this first email in my Inbox (SPF/DKIM passes).
This is a pretty common misconception. A DMARC assessment by a Mail
Receiver does not determine what happens to a message, it merely informs
the Mail Receiver what action the [Author-]Domain Owner proposes be
taken with messages that fail authentication.
That authentication failed means that the DMARC policy is available for
consideration, but the Domain Owner's request is "take no action on the
basis of the authentication failure" (which is not the same as "I
instruct you to put this in the inbox"). Gmail has used other heuristics
to determine (incorrectly) that the message is spam.
The second two replies from tnpi.net <http://tnpi.net> and
linkedin.com <http://linkedin.com> are both marked as DMARC failure
but with a policy of reject - so I would have expected those emails to
go to spam.
It is desirable that messages which fail authentication and which
purport to be from a domain whose DMARC policy is reject be rejected,
not put into a spam folder! That said, it is conceivable that Gmail has
observed that the DMARC policies for those two domains are overzealous
and is therefore simply ignoring them.
To restate, note that a DMARC policy is only ever a proposed handling by
a Domain Owner to a Mail Receiver. The Mail Receiver owns the receiving
equipment and will tend to make their own decision. There are at least
two classes of cases in which their decision may not be what a
simplistic reading of DMARC would predict:
* The Mail Receiver doesn't trust the Domain Owner's ability to
correctly identify all legitimate mail streams bearing its domain
(the "overzealous policy" case), in which case DMARC Policy is
simply ignored even for messages which fail authentication. A
special case of this is a Mail Receiver deciding that a particular
forwarder (e.g. a mailing list) is somewhat trustworthy even though
they're modifying forwarded messages in such a way as to break
authentication, so authentication failures for messages received
directly from this forwarder should not be treated as reason to
execute the Domain Owner's DMARC Policy (this tends to arise because
the Domain Owner is specifying p=reject/quarantine for domains which
are used for individual correspondence, which is not the case that
DMARC is designed for).
* The Mail Receiver doesn't trust the Domain Owner at all (e.g. thinks
they're a spammer), in which case even messages which pass
authentication are given no special treatment.
- Roland
--
Roland Turner | Director, Labs
TrustSphere Pte Ltd | 3 Phillip Street #13-03, Singapore 048693
Mobile: +65 96700022 | Skype: roland.turner
[email protected] | http://www.trustsphere.com/
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
