I installed this handy dandy t-bird dkim verifier extension which also allows you to just use the upstream auth-res. After fixing a bug in it, I could see that it lists DMARC as a fail when DKIM failed, but SPF passed. The _dmarc record has p=none, so it seems really odd to call that a DMARC failure. Shouldn't it just be using the appropriate p= tag instead of "fail"? Is this left over from when Auth-res was mainly for dkim?
Aside to John Levine: you had two messages to nanog back to back, one verified and one failed DKIM. I doesn't seem like nanog is doing any rewriting or anything so that is very strange. Maybe they are inadvertently rewriting in some situations that aren't obvious?
Mike _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
