Re: why DMARC PASS even SPF got failed

Tue, 28 Apr 2020 07:46:13 -0700 

On 28 Apr 2020, at 4:42, Philip wrote:


Hello
I sent a message from mail.ru, who has p=reject setting in their DMARC record, to an email account at OVH.
OVH forwards this email to gmail, as we know during the forwarding OVH doesn't implement SRS. So after receiving the email, gmail shows SPF failed. 

This is the message header in gmail:

Subject:    DMARC testing
SPF:    SOFTFAIL with IP 178.32.228.79 Learn more
DKIM:    'PASS' with domain mail.ru Learn more
DMARC:    'PASS' Learn more
My question is, since SPF got SOFTFAIL by gmail, why it still says DMARC PASS? 

Because the DKIM signature was valid AND aligned with the From header.


Shouldn't SPF failed cause DMARC failure?


No.
What follows is an INCOMPLETE SIMPLIFICATION, but it answers the core of your question. As Scott has said, RFC7489 provides all the technical details and covers edge cases that my simplification leaves open.
SPF validates the client IP of a SMTP transaction as a permitted source for the domain of the SMTP envelope sender address.
DKIM signatures verify that the body and an identified set of headers are unchanged since the message was seen by the signing entity, identified by a domain in the signature. That domain may or may not be related to any particular header or envelope parameter. A message can carry multiple valid DKIM signatures.
DMARC requires at least ONE of SPF or DKIM to refer to a domain that "aligns" with the domain of the author's address, which is almost always the address in the From header. Pass/fail for DMARC refers to the From header address domain, NOT to the domain of the envelope sender or of any DKIM signature. Domain "alignment" is a carefully-defined rough equivalence which is modulated by DMARC record parameters.
Any single "failure" of DKIM or SPF to validate the domains they purport to validate is adequate to force a failure of DMARC, which only fails if ALL mechanisms fail or are absent for the author address domain. 

--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)

Reply via email to