There is a subtle distinction involved here. RFC 7208 (and RFC 4408 before it) don't literally say to use RFC5321.Helo if RFC5321.Mailfrom is null. What they say to to construct a MailFrom using [email protected]. That's the difference between RFC5321.Mailfrom and RFC7208/4408.Mailfrom which is what DMARC uses.
So technically, DMARC always uses Mailfrom for SPF, but that Mailfrom may have been, in some cases, constructed using Helo. People often say things like "use Helo if Mailfrom is null", but that's shorthand, not precisely what the RFCs say to do. Scott K On Monday, May 09, 2016 09:50:33 PM Maarten Oelering via dmarc-discuss wrote: > Hi Franck, > > You explained this before, but also then I didn’t quite understand. > > First you say there is the SPF check on HELO and on MAILFROM. That I know > and understand. Then you say DMARC only uses the RFC5321.Mailfrom, but > which includes falls back on RFC5321.Helo. > > But isn’t that the same in practice? The HELO domain is the HELO domain. > Or is the difference that alignment is required when > postmaster@<RFC5321.Helo> is used in DMARC context? > > Thanks, > > Maarten > > > On 9 mei 2016, at 19:27, Franck Martin via dmarc-discuss > > <[email protected]> wrote: > > > > SPF provides 2 results. People get confused because they often think there > > is only one. > > > > The first result is based on the RFC7489.HELO and the second result is > > based on the RFC7489.MAILFROM. > > > > The first result could allow you to close a connection at the RFC5321.Helo > > stage, while the second result would allow you to close the connection > > after the RFC5321.Mailfrom. In practice both results are integrated in > > higher reputation layers... > > > > DMARC uses only the second result (and identifiers). > > > > As a side note and as Terry points out, Office 365, only uses the second > > results for SPF. Many implementations of SPF use only the second result. > > > > RFC7489.MAILFROM is defined as RFC5321.MailFrom unless it is empty, in > > that case it is postmaster@<RFC5321.Helo> > > > > Hope this helps. > > > > On Mon, May 9, 2016 at 8:17 AM, Terry Zink via dmarc-discuss > > <[email protected] <mailto:[email protected]>> wrote: This is > > a good point, I'm not sure about how others do it, but in Office 365 we > > compare the 5322.From domain against the domain that was used to > > authenticate SPF. That's the 5321.MailFrom unless it is <>, in which case > > we use the HELO/EHLO domain. That would allow a DMARC pass in the absence > > of a DKIM signature. > > > > -- Terry > > > > -----Original Message----- > > From: dmarc-discuss [mailto:[email protected] > > <mailto:[email protected]>] On Behalf Of Sistemisti Posta > > via dmarc-discuss Sent: Monday, May 9, 2016 3:38 AM > > To: [email protected] <mailto:[email protected]> > > Subject: [dmarc-discuss] DMARC and null path > > > > Hello DMARC users, > > > > because I'm new in DMARC world I'm trying to understand some details > > > > before to start with policy implementation. > > > > A detail I would understand is related to mails with null path, or null > > sender address, typically sent by Delivery Status Notifications. > > > > It seems that the only way to pass DMARC with null path is to DKIM sign > > the mails. Is it true? > > > > I ask this because RFC7489 says that exists a condition when DMARC > > considers the null path: > > > > "Note that the RFC5321.HELO identity is not typically used in the > > > > context of DMARC (except when required to "fake" an otherwise null > > reverse-path)" > > > > And: > > > > "DMARC uses the result of SPF authentication of the MAIL FROM identity. > > Section 2.4 of [SPF] describes MAIL FROM processing for cases in which > > the MAIL command has a null path." > > > > RFC4408 says accordingly: > > > > 'When the reverse-path is null, this document defines the "MAIL FROM" > > identity to be the mailbox composed of the localpart "postmaster" and > > the "HELO" identity (which may or may not have been checked separately > > before).' > > > > So if a mail with null path and HELO domain equal to RFC5322.From passes > > the SPF check, why should DMARC fail? > > > > See at this live example: > > > > libero.it <http://libero.it/> descriptive text "v=spf1 > > ip4:212.48.25.128/25 <http://212.48.25.128/25> ip4:212.48.14.160/27 > > <http://212.48.14.160/27> include:srs.bis.na.blackberry.com > > <http://srs.bis.na.blackberry.com/> include:srs.bis.eu.blackberry.com > > <http://srs.bis.eu.blackberry.com/> include:srs.bis.ap.blackberry.com > > <http://srs.bis.ap.blackberry.com/> include:mail.zendesk.com > > <http://mail.zendesk.com/> -all" > > _dmarc.libero.it <http://dmarc.libero.it/> descriptive text "v=DMARC1\; > > p=quarantine\; ... > > > > If 212.48.14.166 <tel:212.48.14.166> sends a mail with null path, > > RFC5322.From=<local>@libero.it <http://libero.it/> and *helo=libero.it > > <http://libero.it/>*, then SPF thinks to have a 'MAIL FROM' like > > "[email protected] <mailto:[email protected]>", passing this result > > to DMARC for alignment with RFC5322.From. (If it passes the helo domain > > is the same) > > > > The result I see: > > ~~~ > > 2016-05-09T09:47:06.481095+02:00 postfix/smtpd[14063]: 3r3Dx63PshzFpVy: > > client=smtp-32-i6.italiaonline.it > > <http://smtp-32-i6.italiaonline.it/>[212.48.14.166 > > <tel:%5B212.48.14.166>] 2016-05-09T09:47:06.636894+02:00 > > postfix/qmgr[17134]: 3r3Dx63PshzFpVy: from=<>, size=308079, nrcpt=x > > (queue active) > > 2016-05-09T09:47:06.551037+02:00 opendkim[6782]: 3r3Dx63PshzFpVy: > > smtp-32-i6.italiaonline.it <http://smtp-32-i6.italiaonline.it/> > > [212.48.14.166 <tel:%5B212.48.14.166>] not internal > > 2016-05-09T09:47:06.551173+02:00 opendkim[6782]: 3r3Dx63PshzFpVy: not > > authenticated > > 2016-05-09T09:47:06.551960+02:00 opendkim[6782]: 3r3Dx63PshzFpVy: no > > signature data > > 2016-05-09T09:47:06.594831+02:00 opendmarc[9812]: SPF: 3r3Dx63PshzFpVy: > > libero.it <http://libero.it/> pass > > 2016-05-09T09:47:06.595936+02:00 opendmarc[9812]: 3r3Dx63PshzFpVy: > > libero.it <http://libero.it/> pass > > ~~~ > > > > The mail with null path and no DKIM signs passes DMARC. For me this is a > > correct result; isn't it? > > In this particular case we could complain that the client doesn't send > > an helo equal to his hostname, but this is not DMARC related. > > > > > > I would implement DMARC. For DSN sent to Internet by any authorized MTA > > I would declare an SPF record as: > > > > mta.example.com <http://mta.example.com/> IN TXT "v=spf1 a -all" > > _dmarc.example.com <http://dmarc.example.com/> descriptive text > > "v=DMARC1\; p=reject\;" > > > > Let suppose the above host sends a DSN with null path, > > helo="mta.example.com <http://mta.example.com/>" and > > [email protected] > > <mailto:[email protected]>. I expect DMARC passes (in relaxed > > mode) because SPF passes. > > > > Could you explain me where I'm wrong? > > > > Thank you very much for your help. > > Best Regards > > Marco > > _______________________________________________ > > dmarc-discuss mailing list > > [email protected] <mailto:[email protected]> > > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > <http://www.dmarc.org/mailman/listinfo/dmarc-discuss> > > > > NOTE: Participating in this list means you agree to the DMARC Note Well > > terms (http://www.dmarc.org/note_well.html > > <http://www.dmarc.org/note_well.html>) > > > > _______________________________________________ > > dmarc-discuss mailing list > > [email protected] <mailto:[email protected]> > > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > <http://www.dmarc.org/mailman/listinfo/dmarc-discuss> > > > > NOTE: Participating in this list means you agree to the DMARC Note Well > > terms (http://www.dmarc.org/note_well.html > > <http://www.dmarc.org/note_well.html>) > > > > _______________________________________________ > > dmarc-discuss mailing list > > [email protected] > > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > > > NOTE: Participating in this list means you agree to the DMARC Note Well > > terms (http://www.dmarc.org/note_well.html) _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
