Thank you everybody for your fast and clear answers. I've understood why I should wait for dkim while reading the reports...
Carlos Pantelides @dev4sec seguridad-agile.blogspot.com El Miércoles, 12 de agosto, 2015 15:34:00, Tim Draegen <[email protected]> escribió: Hi Carlos, it might help to flip the perspective around to receivers. Receivers are looking for any positive signal that a piece of email can be connected to a domain. If that signal is due to SPF, great. If that signal is due to DKIM, that's great too. If both SPF and DKIM provide signals, great++. Having both SPF and DKIM in play for a piece of email increases its chances of being connected to a domain. If for some reason SPF goes bad, maybe DKIM still works. And vice-versa. You do NOT have to have SPF and DKIM in place to publish p=reject or p=quarantine. People do this today for domains that they know do not send email at all. In those cases SPF and DKIM will always fail to provide a positive signal. I hope the above help, -= Tim > On Aug 12, 2015, at 1:46 PM, Carlos P via dmarc-discuss > <[email protected]> wrote: > > Hello, > > > I am new to DMARC and have a question: It is necesary to setup both SPF and > DKIM in order to "quarantine" or "reject". I can not tell that from the > RFC[1] neither searching this list, but there are some other places [2][3] > that say so. > > > Is not finding a DKIM or SPF record considered a failure by itself when > p!=none? > > If so, I would like to know the rationale behind. Is it to make it a little > more resilient to "small" and trascient mistakes? > > Thank you > > > [1] http://tools.ietf.org/html/rfc7489 > > "2. Receivers compare the RFC5322.From address in the mail to the SPF > and DKIM results, if present, and the DMARC policy in DNS." > > later > > "Identifier Alignment: When the domain in the RFC5322.From address > matches a domain validated by SPF or DKIM (or both), it has > Identifier Alignment" > > [2] https://support.google.com/a/answer/2466563 > > "Important: Before creating a DMARC record for your Google Apps domain, you > must first set up DKIM authentication. If you fail to set up DKIM first, > email from services such as Google Calendar will fail mail authentication and > will not be delivered to users." > > > [3] http://blog.endpoint.com/2014/04/spf-dkim-and-dmarc-brief-explanation.html > > "DMARC can (and will) break your mail flow if you don't set up both SPF and > DKIM before changing DMARC policy to anything above 'none'." > > -- > > Carlos Pantelides > @dev4sec > seguridad-agile.blogspot.com > _______________________________________________ > dmarc-discuss mailing list > [email protected] > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well terms > (http://www.dmarc.org/note_well.html) _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
