On Monday, December 22, 2014 11:16:01 AM Dave Crocker wrote: > On 12/22/2014 11:11 AM, Rolf E. Sonneveld wrote: > >> Perhaps 5.6.3 needs something like "SHOULD NOT act on DMARC policy if a > >> temporary error in SPF or DKIM processing prevents a full evaluation." > > > > +1 > > We need to be careful about how this is phrased. I specifically suspect > that the above suggested wording is a bad idea, or worse, probably wrong. > > DMARC /requires/ prior validation of the author From domain via a > lower-level mechanism. SPF and DKIM are defined for now. If neither of > them validates the domain, then DMARC fails. > > There is no 'should' about it. It fails. > > Failing means that the polices are not applied. As in MUST NOT be applied.
I'm confused. If DKIM does not verify and align and SPF does not pass and align then the DMARC result is fail and the policy IS applied. I must be reading you wrong because I think that's the opposite of what you wrote. I bring it up because it appears (in the postfix-users discussion) that possibly a large mail provider (doesn't matter which, really) may be applying DMARC fail policy (to reject in this case) when the underlying SPF/DKIM checks do not reach a definitive result due to transient DNS errors. As I read -08 what to do in that case is undefined. There's a dangling pointer to 5.6.3. It's dangling because nothing in that section addresses the question of how to handle DKIM/SPF temporary errors. Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
