On Tue 07/Jan/2025 16:31:19 +0100 Todd Herr wrote:
I've also added a section titled "Conformance Requirements for Full DMARC
Participation" in response to ongoing discussion.
Repeating specifications can create confusion, whether you change the wording
or not. For example, I'm a bit puzzled about how the pronouns identify which
mail in the wording of the new section:
* MUST send mail so it produces an SPF-Authenticated identifier that
has Identifier Alignment with the Author Domain
* MUST send mail that has a DKIM Signing Domain that will produce
a DKIM-Authenticated Identifier that has Identifier Alignment with
the Author Domain
The above looks similar to Sections 5.1.1 and .2:
5.1.1. Publish an SPF Record for an Aligned Domain
To configure SPF for DMARC, the Domain Owner MUST send mail that has
an RFC5321.MailFrom domain that will produce an SPF-Authenticated
Identifier (#spf-identifiers) that has Identifier Alignment
(#identifier-alignment-explained) with the Author Domain.
5.1.2. Configure Sending System for DKIM Signing Using an Aligned
Domain
To configure DKIM for DMARC, the Domain Owner MUST send mail that has
a DKIM Signing Domain (#dkim-signing-domain) that will produce a
DKIM-Authenticated Identifier (#dkim-identifiers) that has Identifier
Alignment (#identifier-alignment-explained) with the Author Domain.
For SPF, the subtle difference is that in 5.1.1 the phrase "mail that has an
RFC5321.MailFrom domain" seems to be a restrictive clause on mail sent by the
Domain Owner. Only mail that has such RFC5321.MailFrom has to produce spf=pass.
Instead, the first bullet of the new section seems to mean that /some/
(unspecified) mail sent by the Domain Owner must do so. Or is it /all/? How
about forwarded messages? Do they have to be SPF-aligned? IOW, MUST one use
SRS or similar (/all/)? Or forwarded messages are considered to be some other
mail (/some/)?
For DKIM, the wording is identical in Section 5.1.2 and the second bullet of
the new section. Yet, it is ambiguous. The sentence is true both for messages
signed by the Domain Owner and for those forwarded without changes, having
their original signatures, if valid. However, what about forwarded messages
with no valid signatures and automatic messages that are not filtered, such as
DSNs?
My server doesn't filter DSNs, so they lack DKIM signatures. Am I conformant
in this respect (/some/) or non-conformant (/all/)?
Best
Ale
--
_______________________________________________
dmarc mailing list -- [email protected]
To unsubscribe send an email to [email protected]