----- Original Message ----- > From: "Kurt Andersen" <[email protected]> > To: "Scott Kitterman" <[email protected]> > Cc: [email protected] > Sent: Thursday, January 22, 2015 5:59:42 PM > Subject: Re: [dmarc-ietf] questions on the spec, was ... and two more tiny > nits, while I'm at it
> On Thu, Jan 22, 2015 at 5:03 PM, Scott Kitterman < [email protected] > > wrote: > > On January 22, 2015 6:35:59 PM EST, Kurt Andersen < [email protected] > > > wrote: > > > >On Thu, Jan 22, 2015 at 3:30 PM, Scott Kitterman < [email protected] > > > > >wrote: > > > > > > > >> If I were configuring and SPF verifier to provide an input to DMARC > > > >> processing, then I would probably configure it not to reject based on > > > >> SPF fail. Then the problem doesn't arise. > > > > > > > > > > > >Are you suggesting that the DMARC spec should say that people SHOULD > > > >configure (some would say usurp) SPF in such a way? I seem to recall > > > >some > > > >contentious discussions about such usurpation during SPFbis (though I > > > >could > > > >be conflating arguments from another context). > > > Of course. Section 6.7 discusses this in general terms. If you want to only > > use SPF as an input to DMARC, then it wouldn't make sense to set up your > > system to reject mail just based on SPF. > > > Specifying receiver policy was somewhat contentious in SPFbis. In the end, > > RFC7208 specifies almost, if not, exactly the same amount of receiver > > policy > > as did RFC4408 (almost none). > > I think that the crux of the issue is this: > 1) The DMARC spec was written with 4408 as context. That remains true today, > except that in the meantime 7208 was finalized (thanks to SPFbis) and Murray > was seeking to keep up with the times by following the "7208 obsoletes 4408" > statement. > 2) The key problem is that 7208 changes the checking precedence. Here's what > the two specs actually say: > 4408, section 2.2: "SPF clients MUST check the "MAIL FROM" identity." > 7208, section 2.4: "SPF verifiers MUST check the "MAIL FROM" identity if a > "HELO" check either has not been performed or has not reached a definitive > policy. . ." I think this text in 7208 is wrong, if you consider the serialization for the checks implicit in 4408, it should have been written: "SPF verifiers MUST check the "MAIL FROM" identity if a "HELO" check either has not been performed or has not reached a definitive fail result that led to the application of the -all policy. . ." But I think the fix is a bit more complex to be elegant.
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
