On Wed, Dec 15, 2021 at 9:58 PM Douglas Foster < [email protected]> wrote:
> Yes, this is important stuff. > > This is one of my problem scenarios: > > A record arrives at the first hop and obtains DMARC PASS, based on SPF > and/or DKIM interpreted by a DMARC policy. Based on DMARC PASS, the > RFC5322.From address is confidently judged to be "Honestly identified" > DMARC checks SPF and DKIM, but not MX or A/AAAA. > > But then it is forwarded and loses its credentials during forwarding. > > On reception, because of DMARC FAIL, it is tested against NP. NP checks > MX and A/AAAA but does not check SPF or DKIM. The message fails this test > and is confidently judged to be "Fraudulently identified". > The nearest thing I can imagine that would cause this is a From of " [email protected]" when that domain advertises a public key that verifies the message, so it has a TXT at "selector._domainkey.example.com", but has no MX, A, or AAAA for "example.com". On relay, a mutation causes the signature validation to fail at the final recipient. Are you seeing cases like this? -MSK
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
