On December 29, 2014 11:50:51 AM EST, [email protected] wrote: >> On 12/29/2014 7:26 AM, MH Michael Hammer (5304) wrote: >> > It's still not quite right: >> > >> > DMARC evaluation can only complete and yield a "pass" result when >one >> > >> > >> > of the underlying authentication mechanisms passes for an aligned >> > >> > identifier. If this is not the case and either or both of them >> > >> > suffered some kind of temporary error (such as a transient DNS >> > >> > problem), the Receiver evaluating the message is also unable to >> > >> > conclude that the DMARC mechanism failed and thereby apply the >> > >> > advertised DMARC policy. Rather, the Receiver can either skip >DMARC >> > >> > >> > processing for this message due to incomplete evaluation, or it can >> > >> > >> > arrange to defer handling of the message in the hope that the >> > >> > temporary error will be resolved when the message is retried. When >> > >> > >> > otherwise appropriate due to DMARC policy, receivers MAY send >> > >> > feedback reports regarding temporary errors. >> > >> > >> > The problem is with: >> > >> > "If this is not the case and either or both of them suffered some >> > kind of temporary error (such as a transient DNS problem),...", >> > Specifically the use of "either or". If only one (SPF or DKIM) has >a >> > transient DNS error then presumably the other, which has not had an >> > error, can be evaluated (resulting in a "pass" or "DMARC failure". >It >> > only becomes an issue when BOTH SPF and DKIM have concurrent >> > temporary errors. I'm thinking that removing the "either or" is >> > appropriate. I'm still cogitating on the rest of the paragraph. > > >> Good catch. This is complicated by there really being two >conditions. > >> The first is the negative that neither method authenticates. The >second >> is the affirmative that one of them failed with a temporary error. > >> So perhaps something like: > >> FROM: > >> > DMARC evaluation can only complete and yield a "pass" result when >one >> > of the underlying authentication mechanisms passes for an aligned >> > identifier. If this is not the case and either or both of them >> > suffered some kind of temporary error (such as a transient DNS >> > problem), the Receiver evaluating the message is also unable to >> > conclude that the DMARC mechanism failed and thereby apply the >> > advertised DMARC policy. > > >> TO: > >> DMARC evaluation can only complete and yield a "pass" result when one >> of the underlying authentication mechanisms passes for an aligned >> identifier. If neither passes and one or both of them failed due to >a >> temporary error, the Receiver evaluating the message is also unable >to >> conclude that the DMARC mechanism had a permanent failure and thereby >> can apply the advertised DMARC policy. > >This looks good to me.
Shouldn't it be cannot apply the advertised DMARC policy? Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
