Richard, you miss my point. I know what RFC 7208 says to do with null sender, but we rightly ignore it for DMARC purposes.
SPF Helo is one of at least 5 ways to validate the HELO name. There are potential uses for validating the HELO name, but those uses exist with or without a null sender. DMARC is interested in validating the message >From address; HELO validation contributes nothing toward that goal. As I said, requiring DKIM verification for bounce messages is such an unnecessary burden that you might as well require DKIM everywhere, because bounce compliance is the most difficult and most error-prone component of the entire DMARC deployment. When there is a null sender without a DKIM signature, the question is whether the server has the right to send on behalf of the FROM domain. When the sender is null, SPF on From answers that question with high accuracy. Doug On Wed, May 29, 2024 at 8:29 AM Richard Clayton <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > In message <[email protected] > il.com>, Douglas Foster <[email protected]> writes > > > Consider the case of an environment with a single server, properly > > configured with SPF but without DKIM: > > * Original messages from this server are considered authenticated > > based on SPF Pass with alignment, but > > * Bounce messages from this server are considered unauthenticated > > because messages with a null sender require DKIM. > > If MAIL FROM is null, SPF uses the domain in the EHLO > > You should ensure you have an SPF result for that (noting that it may be > a subdomain and SPF does not have any concept of authoritative domains) > > - -- > richard Richard Clayton > > Those who would give up essential Liberty, to purchase a little temporary > Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 > > -----BEGIN PGP SIGNATURE----- > Version: PGPsdk version 1.7.1 > > iQA/AwUBZlcfVN2nQQHFxEViEQJPLACgtedq9ao4h9sQPDY8aUCL81AvF1MAn1Yb > GamGjDijukTOmA71+iw6mhNw > =iznx > -----END PGP SIGNATURE----- > > _______________________________________________ > dmarc mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
