On Sun, Mar 31, 2024 at 3:28 PM Richard Clayton <[email protected]> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > In message <CAOZAAfP9tXi80Fi=ZkgPpGwHo1fDbdSOZwVcnuPDbbc2xQd- > [email protected]>, Seth Blank <[email protected]> > writes > > > Some Mail Receiver architectures implement SPF in advance of any > > DMARC operations. This means that an SPF hard fail ("-") prefix on > > a sender's SPF mechanism, such as "-all", could cause that > > rejection to go into effect early in handling, causing message > > rejection before any DMARC processing takes place, and DKIM has a > > chance to validate the message instead of SPF. Operators choosing > > to use "-all" to terminate SPF records should be aware of this. > > I understood what this said thus far ... but I wonder what it is doing > in a document about DMARC. Some architectures may reject email from > IPs listed in the PBL ... again nothing to do with DMARC. This isn't a > document on how to improve deliverability is it ? > I don't understand the link being made here between operational details and deliverability. I understand this to be pointing out that if you do any short circuiting, DMARC can't be evaluated. That includes any early rejection, be that based on SPF results, DKIM signature failures, domain reputation rejections, or anything of the sort. Mind you, I'm a little worried about anyone that plans to rely seriously on DMARC yet to whom this isn't relatively obvious. You need those results before DMARC can even begin, and the DKIM result comes only after the body arrives. -MSK, p11g
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
