>DMARC leverages the Mail From identity, so I don't see how independent HELO >checks can be relevant.
If you look at sections 2.3 and 2.4 of RFC 7208, a reasonable interpretation is that you check the HELO identity, and if you get a "definitive policy" result, you're done and return that to the caller. So a message comes from host mail.provider.com with From: [email protected]. The recipient host does an SPF check on mail.provider.com, it passes, so SPF is done. DMARC sees that the SPF domain isn't aligned so it ignores it, and DMARC says it's unaligned, even though an SPF check of customer.com might have passed. I can't say whether this is a bug in 7208 or a fundamental flaw in DMARC, but something is clearly wrong and this does not match what running code does. As things are written now, I don't see any way to demand that SPF look at the MAIL FROM if it likes the HELO. Fix 1: file an erratum on 7208 to say to switch the order, do the MAIL FROM check first and only do the HELO check otherwise. This may match some running code, I haven't looked. Fix 2: change 7208 to say that SPF can return multiple results. Ugh. R's, John _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
