On 02/05/2014 08:59 AM, Kurt Roeckx wrote:
On Sat, Feb 01, 2014 at 12:04:43PM +0800, Roland Turner wrote:
"Non-participating" MLMs (RFC 6377) are outside DMARC's scope.
This draft does not update the RFC 6377 requirements for
mailinglists, but I do think it changes the requirements. But it
also seems to contain the posibility to override this somehow,
but it's all outside the scope of DMARC.
I do not understand this paragraph or its relevance to the quoted sentence.
From what I understand, I have received very few aggregate report
that gets all the results correct. There always seems to be
something wrong with it.
It would be very helpful for you to share those so the relevant issues
can be identified and addressed.
And I think the draft isn't helping in
making things clear because it just documents the format.
Would you care to propose specific improvements?
As I understand it, in the case of the mails you send to this
list, you should receive the following:
<auth_results>
<dkim>
<domain>ietf.org</domain>
<selector>ietf1</selector>
<result>pass</result>
</dkim>
<dkim>
<domain>rolandturner.com</domain>
<selector>20120325</selector>
<result>fail</result>
</dkim>
<spf>
<domain>ietf.org</domain>
<scope>mfrom</scope>
<result>pass</result>
</spf>
</auth_results>
I suspect that this conversation would proceed more quickly if you
provided real examples rather than hypothetical ones but yes, sure.
I'm just going to guess that the results you get back contain all
kinds of wrong information, but I hope you at least get some that
are more or less correct.
Your guess is incorrect.
I think that because none of those that pass are alligned it
should then result in:
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
Possibly it could have an reason there added.
As my published policy is none, there is no requirement for a reason.
A reason is only required if the published policy is quarantine or
reject and neither mechanism yields a pass that DMARC can use but the
receiver has decided to override that (e.g. because the forwarder is
believed by the receiver to be trustworthy, or because the Domain Owner
is believed by the receiver to not have control of their legitimate
message streams).
What is unclear to me is what happens when either dkim of spf
would pass and the policy_published contains p=reject. Should it
be:
<policy_evaluated>
<disposition>reject</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
Or:
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
None, obviously: an aligned domain has passed SPF.
(draft-kucherawy-dmarc-base-02
<https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base/?include_text=1>
10.2 5)
Please note that the draft seems to indicate that it should
contain the value from p or sp, but that if you override it
it can contain some other value. So I can read that even if you
accept it because dkim says pass that the disposition should be
reject. And I have to guess that's not really the intension.
No, that's the policy_published section.
Note further that DMARC is also selective about its use of DKIM,
except that the DKIM d= must match from 5322.From domain exactly
(merely being aligned isn't enough). The same two interpretations
must therefore be understood and they appear in the same two places
in the aggregate report as above.
I'm not sure I understand what you're saying here. As I
understand it, there is a strict and relaxed way for that?
Interesting, a misunderstanding on my part. Thank you.
- Roland
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
