> -----Original Message----- > From: dmarc [mailto:[email protected]] On Behalf Of Scott Kitterman > Sent: Monday, December 29, 2014 3:22 PM > To: [email protected] > Subject: Re: [dmarc-ietf] Jim Fenton's review of -04 > > On December 29, 2014 3:15:26 PM EST, "MH Michael Hammer (5304)" > <[email protected]> wrote: > >Still not quite correct... > > > >> -----Original Message----- > >> From: dmarc [mailto:[email protected]] On Behalf Of Dave Crocker > >> Sent: Monday, December 29, 2014 2:32 PM > >> To: Scott Kitterman; [email protected] > >> Subject: Re: [dmarc-ietf] Jim Fenton's review of -04 > >> > >> On 12/29/2014 10:40 AM, Scott Kitterman wrote: > >> TO: > >> >> > > >> DMARC evaluation can only complete and yield a "pass" result when one > >of > >> the underlying authentication mechanisms passes for an aligned > >identifier. If > >> neither passes and one or both of them failed due to > >> >> >a > >> temporary error, the Receiver evaluating the message is also unable > >> >> >to > >> conclude that the DMARC mechanism had a permanent failure and > thereby > >> can apply the advertised DMARC policy. > >> >> > > >> >> >This looks good to me. > >> > Shouldn't it be cannot apply the advertised DMARC policy? > >> > >> Actually, no, but I also was confused. It took me some serious > >effort to > >> decide that the current wording was correct. And a spec should not > >require > >> that sort of linguistic diligence, IMO. > >> > >> Looks like a small change can make your form correct... > >> > >> So I suggest: > >> > >> DMARC evaluation can only yield a "pass" result after one of the > >> underlying authentication mechanisms passes for an aligned > >identifier. If > >> neither passes and one or both of them fails due to a temporary > >error, the > >> Receiver evaluating the message is unable to conclude that the DMARC > >> mechanism had a permanent failure; they therefore cannot (yet) apply > >the > >> advertised DMARC policy. > >> > >> d/ > >> -- > > > >If neither of them passes and only one of them fails due to a temporary > >error (but the other one does not fail due to a temporary error) then > >the other one should (must?, not in the normative sense) be an actual > >failure. Perhaps the wording should be: "If neither SPF nor DKIM pass > >and both of them fail due to temporary errors...". The case we seem to > >be discussing is where we have temporary failures for both SPF and > >DKIM. > > No. As long as either of them have a temporary DNS error, then you can't > apply DMARC policy. >
DOH! I stand corrected. > >The other issue (more than a quibble) I have is leaving it at "; they > >therefore cannot (yet) apply the advertised DMARC policy." What should > >they do? I prefer the treat it as a tempfail and allow for retries. The > >problem with that approach is if the mail has been accepted for > >delivery. I don't like the idea of DSNs or out of band bounces. > > I think the only two reasonable choices are defer and see what happens on > retry or to treat it as DMARC none and press on with other checks. > I suppose it's ultimately another example of local policy. I feel like a DMARC "none" opens the door to abuse (I'm thinking of abused financials for example). How easily can an abuser induce temporary failures for DNS for a given host/domain? I'd prefer a recommendation of "defer and retry" rather than a fail open (DMARC none). Mike _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
