On December 24, 2014 1:32:44 AM EST, "Murray S. Kucherawy" <[email protected]> wrote: >On Mon, Dec 22, 2014 at 10:44 AM, Scott Kitterman ><[email protected]> >wrote: > >> There was a recent thread on postfix-users about DMARC rejections >when >> there >> are DNS errors that caused me to review -08 to see what it says on >the >> matter. >> >> At the end of section 5.6.2, it says: >> >> Handling of messages for which SPF and/or DKIM evaluation >encounters >> a DNS error is left to the discretion of the Mail Receiver. >Further >> discussion is available in Section 5.6.3. >> >> My reading of 5.6.3 though is that it only discusses DNS errors in >the >> context >> of failing to retrieve the DMARC record. Any discussion about >handling DNS >> errors for SPF/DKIM seems to be missing. >> > >Yes, DMARC punts on what to do when SPF or DKIM encounter transient >failures. I imagine that's because those modules would arrange to >temp-fail a message that has that problem. I suppose my experience is >that >messages don't even get to the point of DMARC evaluation when that >happens, >because the message has already been temp-failed. > >If you think about DKIM and SPF as being part of a layer below DMARC, >then >I'm not sure it's wise of us to be making any kind of normative >statement >about what to do when the lower layers fail. > >What do you suggest? > >-MSK
The draft strongly encourages DMARC implementers to ignore SPF policy, so I don't think assuming messages will be deferred due only due to SPF or DKIM results indicating a temporary DNS error is appropriate. I think that in the case of a temporary DNS error in one of the lower level protocols, insufficient inputs are available to conclude a message has failed DMARC tests. Receivers can either ignore DMARC for this message due to incomplete evaluation or they can defer the message in the hope that the temporary error will be resolved when the message is retried. Receivers MUST NOT apply DMARC policy and reject or quarantine because the DMARC evaluation is incomplete. Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
