-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message <[email protected]>, John Levine <[email protected]> writes
>It appears that Richard Clayton <[email protected]> said: >>You will need to say EHLO with a domain name that aligns with the From: >>if you cannot manage that then DKIM is your only way to get your bounce >>message to have a DMARC pass > >Now that I look at it, RFC 7489 says ambiguously in section 3.1.2 that >the HELO can be used to "fake" (quotes in the original) a domain for >alignment, while the current draft says in sec 4.4.2 "DMARC relies >solely on SPF validation of the MAIL FROM identity." the current text is better and far more precise (though it does rely on the way in which RFC7208 is written) >I don't remember the origin of this change. I don't feel strongly >either way whether to use the HELO but I would like to be sure >it's deliberate. It is NOT "using the HELO identity" it is using the "MAIL FROM identity" which is specially defined to be something other than what is in the 5321 MAIL command for the special case when it would otherwise be null >What do existing DMARC libraries do? for OpenDMARC, so far as I can see, the right thing ret = opendmarc_spf2_find_mailfrom_domain(ctx, mail_from_domain, mfrom, sizeof mfrom, used_mfrom); if (ret != 0 || *used_mfrom == FALSE) { (void) strlcpy(helo, helo_domain, sizeof helo); SPF_request_set_helo_dom(ctx->spf_request, helo); } Now one might observe that a bad person might proceed as follows HELO financialcompany.com MAIL FROM: <> RCPT TO: <[email protected]> DATA From: [email protected] Subject: click me http://verybad.example2.com . QUIT but that would just serves the financial company right for providing an SPF record in the first place (or not adding the syntax to say "heres an SPF record but ignore it") - -- richard Richard Clayton Those who would give up essential Liberty, to purchase a Benjamin little temporary Safety, deserve neither Liberty nor Safety. Franklin -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBZl216t2nQQHFxEViEQKUFQCdHGijKmoW3iijwBkFw0ppNviR508AnjMF LtCG8MdUak+fP3NvPeVQRniQ =3LC6 -----END PGP SIGNATURE----- _______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
