On Tue 03/Dec/2024 18:57:47 +0100 Daniel K. wrote:
On 12/2/24 12:12, Alessandro Vesely wrote:
The original meaning of fo= was to send failure reports in different situations, where 0 and 1 meant all or any having not "pass", while d and s meant failed dkim or spf irrespective of alignment. Therefore 0:d would have meant all failures but also dkim ones, which was (somewhat incorrectly) deemed redundant at the time.

Now that the meaning shifted to enirely different reports for d and s,

I'm sorry, but I'm not following what you mean by "entirely different
reports". The wording for the options did not change from RFC 7489; d
and s type reports should be sent in the same circumstances as before.


The current text for ruf says:

     Depending on the value of the "fo" tag, the format for such
     reports is described in [I-D.ietf-dmarc-failure-reporting],
     [RFC6651], or [RFC6652].

The old text was:

    The format of the message to be generated MUST follow the
    format specified for the "rf" tag.

That tag only had the value "afrf", defined by RFC 6591 and extended by DMARC. However, also RFCs 6651/2 extend that format, so it may still seem ambiguous what format is meant. The DMARC extension is actually twofold, depending on which validation fails, thus phrases like "DKIM failure report" can mean the DKIM flavor of a DMARC failure report.

Indeed, Section 7.3.1 of RFC 7489 has a sentence that says:

                     Note that a failure report generator MAY also
       independently produce an AFRF message for any or all of the
       underlying authentication methods.

So, it may produce /two/ reports for a single failure. For example, for a failed DKIM signature, a generator may send one "DKIM failure report" triggered by fo=d, and another one following the DKIM reporting algorithm of RFC 6651. They are both AFRF format, but I don't think they are exactly equal.


Best
Ale
--





_______________________________________________
dmarc mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to