Consider the case of an environment with a single server, properly configured with SPF but without DKIM:
- Original messages from this server are considered authenticated based on SPF Pass with alignment, but - Bounce messages from this server are considered unauthenticated because messages with a null sender require DKIM. This inconsistency is illogical and impossible to justify. In general, configuring DKIM for bounce messages is likely to be harder than configuring messages for original messages. So for consistency, our rule should be one of these: - Because DKIM is required for bounce messages, DMARC requires DKIM for all messages, OR - Because DKIM is optional for original messages, DKIM is also optional for bounce messages. We have rejected the idea of mandatory DKIM, so we need a solution to validate the From address when we have a null sender and no signature. Clearly, SPF on HELO is NOT that solution. The workable solution is the following: - When the Mail From address is null, the From address is used to compute an SPF result, and that result is used to determine the DMARC result. When this test produces PASS, it is interpreted to mean: "Because this server is trusted to send regular messages on behalf of this >From domain, it is also trusted to send bounces and other null sender messages on behalf of this domain." Similarly, when the test produces FAIL, it is interpreted to mean: "Because this server is NOT trusted to send regular messages for this From domain, it is also not trusted to send bounce messages or other null sender messages on behalf of this domain." Doug Foster
_______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
