On November 25, 2024 9:14:17 PM UTC, "Daniel K." <[email protected]> wrote: >On 11/25/24 18:47, Alessandro Vesely wrote: >> The only possible value is "helo", which we just removed. (See >> https://mailarchive.ietf.org/arch/msg/dmarc/9RO1vASQ6N0Yt2oEXBy0u1ZYD8g/.) > >Thanks for taking the time to provide links. > > >> If we only accept "mfrom", the only reason to have a scope field is for >> backward compatibility. Do we care? > >Not everyone is providing a "scope" element in the currently issued >reports. So in practical terms it is already treated as optional. We can >let it carry on. > > >Investigating this, the conversation above seem to indicate that SPF >MUST NOT be treated as in alignment if MAIL FROM is NULL, however > >https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-36.html#name-spf-domain > >talks about HELO identity and MAIL FROM identity, then stating: > > DMARC relies solely on SPF validation of the > MAIL FROM identity. > >then it continues to talk briefly about the fallback mechanism to >postmaster@HELO defined in RFC 7208, for the MAIL FROM identity, before >concluding: > > The term "SPF Domain" when used in this document > refers to an SPF validated MAIL FROM identity. > > >https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-36.html#name-spf-authenticated-identifie > >again talks about HELO identity vs MAIL FROM identity, then repeats the >statement from above: > > DMARC relies solely on SPF validation of the > MAIL FROM identity. > > >I may be confused here, because from reading the background information >I'm thinking that the intention is that a NULL envelope sender is meant >to lead to an SPF fail result (no identifier alignment). > >If that's the case, it does not seem to be what's written in dmarcbis, >nor does it seem possible to rely on SPF's notion of MAIL FROM identity >for this purpose, as that explicitly includes the postmaster@HELO >fallback mechanism. > >Where did I go wrong?
Look at RFC 7208, Section 2.4 again: When the reverse-path is null, this document defines the "MAIL FROM" identity to be the mailbox composed of the local-part "postmaster" and the "HELO" identity (which might or might not have been checked separately before). When you use postmaster@HELO to construct a Mail From identity, it's still considered a check of Mail From for SPF purposes. DMARC doesn't modify SPF. It just consumes the results for its own purpose. DMARC makes no use of a bare SPF HELO check. This is, no doubt, somewhat complicated, but this is why having only Mail From is correct. Scott K _______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
