On Sun, 2019-08-04 at 10:10 +0000, Дилян Палаузов wrote: > > The mailbox provider has no way of knowing that you sent the mail. If it > > was authenticated as coming from you this > wouldn't be an issue. > > The receiving server knows, which IP address sent the mail and it knows, to > which IP addresses set the failure report > will go. If there is a match in the IP addresses, then the receiving server > knows that the one who will get the report > is also the one, who has anyway access to the message.
Nope. This does not work for redirected messages. The assumption is that no host (sending spam) is going to forge headers in order to entitle another host to receive failure reports. A mail receiving host can obtain the IP addresses that receive emails for a domain (@a.int). If a message, failing DMARC validation, is either sent from an IP address that receives emails for a domain (MX a.int), or has such an address in its Received: headers, then the receiving site shall not have concerns that the one who would receive the failure report would have anyway access to the message in question. If the above validation of the IP address fails, but the DKIM-Signature contains "ruf=y", this means, that the receiving site can assume, that the writer of the message is willing that a failure report is sent for the message and the receiving site shall not have concern about sending reports. As with the b= tag, when calculating or verifying the signature, the value of the "ruf=" tag (signature value) of that DKIM-Signature header field MUST be treated as though it were an empty string. Or NOT? _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
