On Tuesday, January 26, 2021 11:47:51 AM EST Alessandro Vesely wrote: > On Tue 26/Jan/2021 14:14:45 +0100 Scott Kitterman wrote: > > On Tuesday, January 26, 2021 6:54:56 AM EST Alessandro Vesely wrote: > >> On Mon 25/Jan/2021 22:35:09 +0100 Scott Kitterman wrote: > >>> On Monday, January 25, 2021 4:04:33 PM EST Todd Herr wrote: > >>>> May I propose that the section labeled "SPF-Authenticated Identifiers" > >>>> be > >>>> rewritten as follows: > >>>> > >>>> [...] > >>>> > >>>> The reader should note that SPF alignment checks in DMARC rely > >>>> solely > >>>> on the RFC5321.MailFrom domain. This differs from section 2.3 of > >>>> [@!RFC7208], which recommends that SPF checks be done on not only > >>>> the > >>>> "MAIL FROM" but also on a separate check of the "HELO" identity. > > >>> > >>> I think this is fine, but there is a subtlety to be aware of. > >>> > >>> If you look at RFC 7208 Section 2.4, when Mail From is null, > >>> postmaster@HELO is the mail from for SPF purposes. DMARC really can't > >>> change that. > >>> > >>> As a result, there are cases where Mail From results actually are > >>> derived > >>> from HELO and it's unavoidable. > >> > >> I doubt that SPF filters report envelope-from=postmaster@HELO; more > >> likely > >> they write helo=HELO. In that case, the paragraph quoted above is > >> deceptive. > >> > >>> I believe the proposed text is clear enough about not using separate > >>> HELO > >>> identity results and that's appropriate. > >> > >> My filter collects SPF results recorded from an upstream SPF filter. It > >> writes Received-SPF: lines for each identity. For NDNs, it writes a > >> Received-SPF: for the HELO identity only. Am I allowed to use that > >> result > >> for DMARC? > > > > No. You should only use Mail From results. > > So NDNs having only an aligned HELO will never pass DMARC? > > And what is a <scope>helo</scope> element in aggregate reports provided for? > > The spec says: > > [SPF] can authenticate either the domain that appears in the > RFC5321.MailFrom (MAIL FROM) portion of [SMTP] or the RFC5321.EHLO/ > HELO domain, or both. > > And then: > > In relaxed mode, the [SPF]-authenticated domain and RFC5322.From > domain must have the same Organizational Domain. In strict mode, > only an exact DNS domain match is considered to produce Identifier > Alignment. > > So, consider the following message without DKIM signatures: > > HELO example.org > MAIL FROM:<[email protected]> > > Received-SPF: pass (domain example.org > designates 192.0.2.1 as permitted sender) > identity=helo; helo=example.org; > Received-SPF: fail (domain of [email protected] > denies 192.0.2.1 as permitted sender) > identity=mailfrom; envelope-from="[email protected]"; > Subject: Not using a mail client for this example > From: [email protected] > > Does it pass DMARC?
No. Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
