On 01/10/2023 11:37, Jan Dušátko wrote:
Hi,
If I understand the work of the DMARC algorithm, the following procedure occurs. In the condition we purposely specified at least one signature, because some systems provide more signatures than one and from the point of view of implementation there is then an effort to evaluate at least one of them. Could you correct me please?

if ((SPF evaluation = pass) and (SPF alignment = true))
    or
   ((at least one DKIM signature evaluation = pass) and (the same DKIM signature alignment = true))
then
    DMARC = pass
    if (RUA not empty)
    then
       add information for analytic report
    fi
else
    DMARC = pass
              ^^^ A typo, I guess.  It's fail, of course.
    if (RUA not empty)
    then
        add information for analytic report
    fi
    if (RUF not empty and defined FO)
    then
        generate forensic report based on FO settings
    fi
fi

For me, the following approach is problematic. DMARC is able to evaluate the status in the case of a defined SPF or DKIM. If the sender wants to use only DKIM, there is the following risk. The possible attacker creates a fake email without a DKIM signature, which is subsequently impossible to evaluate. DMARC requires SPF or DKIM, if neither is defined, DMARC is in a "non-compliant" state, in other words an undefined status.


No, it's fail, per the above algorithm.


Do I understand the above well? Alternatively, is someone able to direct me to the part describing the way DMARC behaves under these conditions?

From my point of view, I would argue for the option where the owner defines the policy, i.e. the proposed policy "SPF&&DKIM", "SPF||DKIM", "SPF", "DKIM", which would be part of the DMARC policy. This option has been discussed here, but unfortunately I do not know if it will be considered for the future. For me personally, this would be an interesting solution to this problem.


My understanding is that the possibility to only evaluate SPF or only evaluate DKIM is going to be standardized. SPF&&DKIM is considered a footgun[*] by this WG.


Best
Ale
--

[*] https://en.wiktionary.org/wiki/footgun



_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc

Reply via email to