On Thursday, February 06, 2014 12:43 AM [GMT+1=CET], Terry Zink wrote: > 1. Case 1 - sender publishes DMARC and only authenticates with SPF, > user auto-forwards their email > > Example: bulk sender -> Hotmail -> Gmail > This would pass DMARC at Hotmail (since bulk sender publishes SPF) > but fail at Gmail (since Gmail will see Hotmail's IP but bulk sender > in the 5321.MailFrom)
I think in that case Gmail would see the bulk sender in the 5322.MimeFrom and Hotmail in the 5321.MailFrom. Threfore, the SPF-itself check would pass at Gmail (because that check would validate that the email is Hotmail-authentic), although DMARC would fail its (version of the) SPF-check at Gmail (because that check would try to validate whether the email is BulkSender-authentic). Yes, it is a mess. The solution is to check SPF-itself before checking DMARC, and then exempt from DMARC processing those emails which get an SPF-itself result of pass AND come from known-good domains (according to your locally maintained whitelist of known-good domains). > 2. Case 2 - discussion/mailing lists. This is a known limitation of > DMARC and there are workarounds, but if no one does anything, the day > after we turn on DMARC how much email would this affect? > > Does anyone have numbers on how much this would affect? You will have to implement mailing-list detection logic on your side, and then exempt those emails from DMARC processing. It is either that, or breaking mailing lists for your users (they won't be happy about it). The other option is to never obey DMARC's p=reject policy. Regards, J.Gomez _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
