On Thursday, January 22, 2015 17:59:42 Kurt Andersen wrote: > On Thu, Jan 22, 2015 at 5:03 PM, Scott Kitterman <[email protected]> > > wrote: > > On January 22, 2015 6:35:59 PM EST, Kurt Andersen <[email protected]> > > > > wrote: > > >On Thu, Jan 22, 2015 at 3:30 PM, Scott Kitterman <[email protected]> > > > > > >wrote: > > >> If I were configuring and SPF verifier to provide an input to DMARC > > >> processing, then I would probably configure it not to reject based on > > >> SPF fail. Then the problem doesn't arise. > > > > > >Are you suggesting that the DMARC spec should say that people SHOULD > > >configure (some would say usurp) SPF in such a way? I seem to recall > > >some > > >contentious discussions about such usurpation during SPFbis (though I > > >could > > >be conflating arguments from another context). > > > > Of course. Section 6.7 discusses this in general terms. If you want to > > only use SPF as an input to DMARC, then it wouldn't make sense to set up > > your system to reject mail just based on SPF. > > > > Specifying receiver policy was somewhat contentious in SPFbis. In the > > end, RFC7208 specifies almost, if not, exactly the same amount of receiver > > policy as did RFC4408 (almost none). > > I think that the crux of the issue is this: > 1) The DMARC spec was written with 4408 as context. That remains true > today, except that in the meantime 7208 was finalized (thanks to SPFbis) > and Murray was seeking to keep up with the times by following the "7208 > obsoletes 4408" statement. > 2) The key problem is that 7208 changes the checking precedence. Here's > what the two specs actually say: > 4408, section 2.2: "SPF clients MUST check the "MAIL FROM" identity." > 7208, section 2.4: "SPF verifiers MUST check the "MAIL FROM" identity if a > "HELO" check either has not been performed or has not reached a definitive > policy. . ." > > My recommendation is to take -12 and amend it to change the SPF reference > back to 4408 and let the WG wrestle through how to handle the change that > was introduced in 7208.
If you've already rejected the message (e.g. HELO check reached a definitive result) the DMARC doesn't care. There's no relevant change between 4408 and 7208. Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
