----- Original Message ----- > From: "Murray S. Kucherawy" <[email protected]> > To: "Scott Kitterman" <[email protected]> > Cc: [email protected] > Sent: Tuesday, December 23, 2014 10:32:44 PM > Subject: Re: [dmarc-ietf] Jim Fenton's review of -04
> On Mon, Dec 22, 2014 at 10:44 AM, Scott Kitterman < [email protected] > > wrote: > > There was a recent thread on postfix-users about DMARC rejections when > > there > > > are DNS errors that caused me to review -08 to see what it says on the > > matter. > > > At the end of section 5.6.2, it says: > > > Handling of messages for which SPF and/or DKIM evaluation encounters > > > a DNS error is left to the discretion of the Mail Receiver. Further > > > discussion is available in Section 5.6.3. > > > My reading of 5.6.3 though is that it only discusses DNS errors in the > > context > > > of failing to retrieve the DMARC record. Any discussion about handling DNS > > > errors for SPF/DKIM seems to be missing. > > Yes, DMARC punts on what to do when SPF or DKIM encounter transient failures. > I imagine that's because those modules would arrange to temp-fail a message > that has that problem. I suppose my experience is that messages don't even > get to the point of DMARC evaluation when that happens, because the message > has already been temp-failed. As SPF (and DKIM) can report a message with the status tempfail, it means the message is not necessarily tempfail (bounced). > If you think about DKIM and SPF as being part of a layer below DMARC, then > I'm not sure it's wise of us to be making any kind of normative statement > about what to do when the lower layers fail. > What do you suggest? I think we should recommend something here, not sure if it needs to be normative. We do say to ignore the SPF policy when p!=none, though I think we can be normative on the lower layers. I see 2 options here: 1)tempfail the message is either SPF and DKIM have a tempfail status 2)tempfail the message if both SPF and DKIM have a tempfail status 1) is my preferred and is aggressive, therefore not sure people will like it. I'll settle for 2) As explained in another post, I'm worried I can run a DNS attack (or just a self inflicted DNS bad config) and get DMARC to reject emails it should have accepted (has the DMARC policy in cache, but cannot assert SPF and DKIM).
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
