On Fri 02/Aug/2019 08:18:20 +0200 Murray S. Kucherawy wrote: > On Thu, Aug 1, 2019 at 9:32 AM Alessandro Vesely <[email protected]> wrote: > >> Let me narrate a use case. Courier-MTA can be configured to reject on >> SPF -all early in the SMTP dialogue, except if whitelisted. It writes SPF >> as well as dnswl results in the header, but does not interpret the >> policy.ip. Downstream filters can interpret the field based on the >> dns.zone. I use that feature to pass messages tagged "Heuristic" by the >> antivirus filter if policy.ip has a positive trustworthiness.>> > > I think this is a bit unusual, but RFC8601 doesn't preclude it. Seems to me > you're effectively throwing away the result, "pass" or "fail", if downstream > agents actually know more about the applied algorithm than the border MTA > adding it.
In the case at hand, in fact, failed lookups are never reported. If no dnswl query is configured, it makes no sense to configure which trustworthiness value is needed to counterbalance which negative heuristics. The "pass" just confirms it's mere presence. In general, however, a filter may want to distinguish dnswl!=pass from no dnswl query at all. A negative query (NXDOMAIN or NO DATA) would be dnswl=none. No "fail" is provided for in the I-D. Best Ale -- _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
