> On 29 Dec 2020, at 17:48, Michael Thomas <[email protected]> wrote:
>
>
>
> On 12/29/20 9:18 AM, Todd Herr wrote:
>>
>> The intent of the p= value is for the domain owner to communicate a request
>> for message handling by the entity evaluation the DMARC results; a policy of
>> p=none means "please treat this message the same as you would have if you
>> hadn't performed a DMARC check on it, regardless of the result obtained from
>> the check".
> Right, but that is not what Google at least is doing in their Auth-res. It's
> marking it as DMARC=fail. I think the issue is with rfc 7601 because all I
> see in it are some DMARC codepoints for IANA unless I missed something. But
> it could also be considered a fault of DMARC if there isn't normative
> language on what constitutes pass/neutral or missing/fail. Of course this can
> just be a Google bug, but it looks more likely underspecification to me.
>
RFC 7489 specifically says that if the domains don’t align then the mail fails
DMARC.
5. Conduct Identifier Alignment checks. With authentication checks
and policy discovery performed, the Mail Receiver checks to see
if Authenticated Identifiers fall into alignment as described in
Section 3 <https://tools.ietf.org/html/rfc7489#section-3>. If one or
more of the Authenticated Identifiers align
with the RFC5322 <https://tools.ietf.org/html/rfc5322>.From domain, the
message is considered to pass
the DMARC mechanism check. All other conditions (authentication
failures, identifier mismatches) are considered to be DMARC
mechanism check failures.
> Maybe Murray can chime in here.
>
>> My feeling is that failure should be reserved only in the case where both
>> SPF and DKIM fail and that the p= > none. What I'd *really* like from a UI
>> standpoint is the p= value passed along as well so I can decide to decorate
>> reject differently from quarantine and none.
>>
>> A typical domain owner with a non-trivial email infrastructure and an
>> eventual goal of getting to p=reject will start with p=none, and will
>> consume aggregate and failure reports, and will use the data in those
>> reports to address any shortcomings in their authentication practices.
>> Aggregate reports containing DMARC failure verdicts will be quite useful to
>> the domain owner, to ferret out those cases where Mike in Marketing has
>> contracted with a third party to send mail on behalf of the domain, or where
>> Ellen the Engineer has a server running off the side of her desk, sending
>> reports to $ARBITRARY_MAILBOXES and ensure that such mailstreams are
>> properly authenticated before updating the DMARC policy to p=quarantine or
>> p=reject. It's not uncommon for some domains to be at p=none for months,
>> perhaps twelve or more, depending on their mailing practices and cadences
>> before making the switch. Domain owners won't move to p=reject until they're
>> sure that enforcement of such a policy won't have a negative impact on their
>> mail flow.
>>
> In the mean time, it would be nice for MUA's to be able to do their part with
> annotating mail. DMARC=fail is really unhelpful with p=none.
>
But, the mail fails DMARC because the domains don’t align.
laura
--
Having an Email Crisis? We can help! 800 823-9674
Laura Atkins
Word to the Wise
[email protected]
(650) 437-0741
Email Delivery Blog: https://wordtothewise.com/blog
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
