On 04/13/2014 03:17 PM, Mark Sapiro wrote: > On 04/13/2014 03:03 PM, Jim Popovitch wrote: >> >> DMARC checks alignment of *both* DKIM and SPF, if either is broken DMARC >> fails. >> >>> SPF does not check the "From:" header line, and that's where the >>> troubles begin with DMARC. >> >> SPF checks sending IPs (of which your IPs won't match Yahoo's, thus >> breaking DMARC) >> >> Either an SPF failure or a DKIM failure will cause a DMARC rejection >> if p=reject. > > > I'm not sure that's correct. I've been testing this so many ways, I'm > not sure what I'm seeing, but I think a reject requires BOTH DKIM and > SPF to be absent or fail. If either passes, no DMARC reject occurs.
My reading of Sec 10.2 of the current draft DMARC standard <https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base/> says that either a valid DKIM signature or a valid SPF test is sufficient, but only if the domains are aligned which means the DKIM signing domain or the SPF envelope sender domain must match (in strict or relaxed mode) that of the From: address. If one or more of the Authenticated Identifiers align with the RFC5322.From domain, the message is considered to pass the DMARC mechanism check. In particular, one's own SPF won't do because the domains won't align. I think I've got a good set of test results, but I'm tired and will save that summary for tomorrow. -- Mark Sapiro <m...@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
