Hi,
If I understand the work of the DMARC algorithm, the following procedure
occurs. In the condition we purposely specified at least one signature,
because some systems provide more signatures than one and from the point
of view of implementation there is then an effort to evaluate at least
one of them. Could you correct me please?
if ((SPF evaluation = pass) and (SPF alignment = true))
or
((at least one DKIM signature evaluation = pass) and (the same DKIM
signature alignment = true))
then
DMARC = pass
if (RUA not empty)
then
add information for analytic report
fi
else
DMARC = pass
if (RUA not empty)
then
add information for analytic report
fi
if (RUF not empty and defined FO)
then
generate forensic report based on FO settings
fi
fi
For me, the following approach is problematic. DMARC is able to evaluate
the status in the case of a defined SPF or DKIM. If the sender wants to
use only DKIM, there is the following risk. The possible attacker
creates a fake email without a DKIM signature, which is subsequently
impossible to evaluate. DMARC requires SPF or DKIM, if neither is
defined, DMARC is in a "non-compliant" state, in other words an
undefined status.
Do I understand the above well? Alternatively, is someone able to direct
me to the part describing the way DMARC behaves under these conditions?
From my point of view, I would argue for the option where the owner
defines the policy, i.e. the proposed policy "SPF&&DKIM", "SPF||DKIM",
"SPF", "DKIM", which would be part of the DMARC policy. This option has
been discussed here, but unfortunately I do not know if it will be
considered for the future. For me personally, this would be an
interesting solution to this problem.
Regards
Jan
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
