On Tue 03/Dec/2024 18:57:47 +0100 Daniel K. wrote:
On 12/2/24 12:12, Alessandro Vesely wrote:
The original meaning of fo= was to send failure reports in different
situations, where 0 and 1 meant all or any having not "pass", while d and s
meant failed dkim or spf irrespective of alignment. Therefore 0:d would have
meant all failures but also dkim ones, which was (somewhat incorrectly) deemed
redundant at the time.
Now that the meaning shifted to enirely different reports for d and s,
I'm sorry, but I'm not following what you mean by "entirely different
reports". The wording for the options did not change from RFC 7489; d
and s type reports should be sent in the same circumstances as before.
The current text for ruf says:
Depending on the value of the "fo" tag, the format for such
reports is described in [I-D.ietf-dmarc-failure-reporting],
[RFC6651], or [RFC6652].
The old text was:
The format of the message to be generated MUST follow the
format specified for the "rf" tag.
That tag only had the value "afrf", defined by RFC 6591 and extended by DMARC.
However, also RFCs 6651/2 extend that format, so it may still seem ambiguous
what format is meant. The DMARC extension is actually twofold, depending on
which validation fails, thus phrases like "DKIM failure report" can mean the
DKIM flavor of a DMARC failure report.
Indeed, Section 7.3.1 of RFC 7489 has a sentence that says:
Note that a failure report generator MAY also
independently produce an AFRF message for any or all of the
underlying authentication methods.
So, it may produce /two/ reports for a single failure. For example, for a
failed DKIM signature, a generator may send one "DKIM failure report" triggered
by fo=d, and another one following the DKIM reporting algorithm of RFC 6651.
They are both AFRF format, but I don't think they are exactly equal.
Best
Ale
--
_______________________________________________
dmarc mailing list -- [email protected]
To unsubscribe send an email to [email protected]
