Re: [dmarc-ietf] DMARC evaluation

Sun, 01 Oct 2023 09:48:56 -0700 

On 01/10/2023 11:37, Jan Dušátko wrote:

Hi,
If I understand the work of the DMARC algorithm, the following procedure occurs. In the condition we purposely specified at least one signature, because some systems provide more signatures than one and from the point of view of implementation there is then an effort to evaluate at least one of them. Could you correct me please? 

if ((SPF evaluation = pass) and (SPF alignment = true))
    or

    ((at least one DKIM signature evaluation = pass) and (the same DKIM 
signature alignment = true))

then
    DMARC = pass
    if (RUA not empty)
    then
       add information for analytic report
    fi
else
    DMARC = pass

              ^^^ A typo, I guess.  It's fail, of course.

    if (RUA not empty)
    then
        add information for analytic report
    fi
    if (RUF not empty and defined FO)
    then
        generate forensic report based on FO settings
    fi
fi


For me, the following approach is problematic. DMARC is able to evaluate 
the status in the case of a defined SPF or DKIM. If the sender wants to 
use only DKIM, there is the following risk. The possible attacker 
creates a fake email without a DKIM signature, which is subsequently 
impossible to evaluate. DMARC requires SPF or DKIM, if neither is 
defined, DMARC is in a "non-compliant" state, in other words an 
undefined status.



No, it's fail, per the above algorithm.



Do I understand the above well? Alternatively, is someone able to direct 
me to the part describing the way DMARC behaves under these conditions?



 From my point of view, I would argue for the option where the owner 
defines the policy, i.e. the proposed policy "SPF&&DKIM", "SPF||DKIM", 
"SPF", "DKIM", which would be part of the DMARC policy. This option has 
been discussed here, but unfortunately I do not know if it will be 
considered for the future. For me personally, this would be an 
interesting solution to this problem.




My understanding is that the possibility to only evaluate SPF or only 
evaluate DKIM is going to be standardized.  SPF&&DKIM is considered a 
footgun[*] by this WG.



Best
Ale
--

[*] https://en.wiktionary.org/wiki/footgun



_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc






















					Reply via email to