Ralf Hildebrandt via Mailman-Users writes:

 > The DMARC record for somenet.org is
 > "v=DMARC1;p=none;pct=100;rua=mailto:postmas...@somenet.org;mailto:postmas...@somenet.org;ri=3600;fo=1;";
 > which is syntactically incorrect. The extra
 > ";mailto:postmas...@somenet.org"; is wrong, I guess the tag "ruf="
 > is missing here!

Seems very likely.

 > It should probably read 
 > "v=DMARC1;p=none;pct=100;rua=mailto:postmas...@somenet.org;ruf=mailto:postmas...@somenet.org;ri=3600;fo=1;";
 > 
 > So, should mm3 somehow "catch" this error somehow?

Yes.  The parser is in the authheaders package, a 3rd-party package on
PyPI.  I'll get in touch with the maintainers, but given the season I
wouldn't bet on a release soon.  Of course you may get lucky with an
upgrade if you're not up-to-date (v0.15.3).  Upgrade should be safe,
the maintainers are reliable authors in this field.

The rest of this post is for RFC nerds. :-)

 > I wonder how a syntactically incorrect DMARC record should be
 > handled at all

Per RFC 7489, Sec. 6.3:

    A DMARC policy record MUST comply with the formal specification found
    in Section 6.4 in that the "v" and "p" tags MUST be present and MUST
    appear in that order.  Unknown tags MUST be ignored.  Syntax errors
    in the remainder of the record SHOULD be discarded in favor of
    default values (if any) or ignored outright.

I'm pretty sure the best strategy is to divide the string on ";",
check that the first component is exactly "v=DMARC1", the second is a
"p=..." specification.  If either of those fails, the whole record
should be ignored (but the receiver can go ahead and do DMARC
processing and make its own decisions based on the result).

After that, any component that is not of the form "tag=value" for a
tag that is defined in the RFC and a value that is syntactically valid
for the tag should be ignored but parsing continues for the remaining
components..

There is no default for ruf, so IMO you must ignore it:

    ruf:  ... If not provided, Mail Receivers MUST NOT generate
    failure reports.

Although the evidence for ruf=mailto:postmas...@somenet.org is really
strong, given it's the same URL as rua and fo=1; best effort might
apply.

 > (ignore?

The whole policy?  Definitely not, unless the "v" and "p" tags are
missing or syntactically incorrect.  Of course it's optional for
receivers to participate, but if you participate, best effort is
indicated (Sec. 6):

    A Mail Receiver implementing the DMARC mechanism SHOULD make a
    best-effort attempt to adhere to the Domain Owner's published DMARC
    policy when a message fails the DMARC test.

------------------------------------------------------
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
    https://mail.python.org/archives/list/mailman-users@python.org/
Member address: arch...@jab.org

Reply via email to