On Thu, Mar 21, 2024 at 10:15 AM Todd Herr <[email protected]> wrote:
> On Thu, Mar 21, 2024 at 5:55 AM Alessandro Vesely <[email protected]> wrote: > >> On Wed 20/Mar/2024 23:11:20 +0100 Matthäus Wander wrote: >> > Alessandro Vesely wrote on 2024-03-20 15:42: >> >> what is the result of DMARC on having, say >> >> >> >> dkim=pass (testing key) >> >> or >> >> dkim=policy (512 byte key) >> >> >> >> is that akin to SPF neutral, i.e. dmarc=fail? >> > >> > dkim=pass results in dmarc=pass (if the domain is aligned). The comment >> in >> > brackets is for human eyes and does not change the DMARC result. >> >> >> For t=y, DKIM says: >> >> y This domain is testing DKIM. Verifiers MUST NOT treat messages >> from Signers in testing mode differently from unsigned email, >> even should the signature fail to verify. Verifiers MAY wish >> to track testing mode results to assist the Signer. >> >> So reporting dkim=pass for testing keys seems to be a violation. >> >> >> > dkim=policy is like spf=neutral, i.e. dmarc=fail. >> >> >> Agreed. Should that be mentioned in DMARCbis? >> >> > I don't believe there's any need to discuss this topic in DMARCbis. > > DMARCbis, in section 4.1, DMARC Basics, says: > > =============================================================== > > A message satisfies the DMARC checks if at least one of the supported > authentication mechanisms:¶ <#m_-6134626636375030691_section-4.1-3> > > 1. > > produces a "pass" result, and > <#m_-6134626636375030691_section-4.1-4.1.1> > 2. > > produces that result based on an identifier that is in alignment, as > described in Section 4.4 > <#m_-6134626636375030691_identifier-alignment-explained>. > > =============================================================== > > If there's anything to say about reporting a DKIM pass result for DKIM > signatures where t=y exists and its possible ramifications for DMARC, then > I believe that's something for an update RFC 6376 to address. > > And upon further reflection I personally think two more things: 1. It is highly unlikely that a Domain Owner will publish a DMARC policy record with DKIM t=y in place when they can accomplish the same results with a DMARC policy of p=none and get aggregate and perhaps failure reporting to boot. 2. That part of 6376 might be better written as "Should the signature fail to verify, verifiers MUST NOT treat messages from Signers in testing mode differently from unsigned email." as I see no reason to penalize a Domain Owner who successfully DKIM signs messages, even in testing mode. But I could very well be in the weeds here... -- Todd Herr | Technical Director, Standards & Ecosystem Email: [email protected] Phone: 703-220-4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
