Le 12/01/2023 à 18:17, Emmanuel Fusté a écrit :
Le 12/01/2023 à 17:51, Wietse Venema a écrit :
Emmanuel Fust?:
Le jeu. 12 janv. 2023, 17:15, <post...@ptld.com> a ?crit :
Since I am using SPF as a validation method, the non-srs messages
from
those big providers will have possibility to break SPF and be
rejected by
our systems.
Do you reject based on solely the SPF result? It would be better to
use
DMARC, have SPF only create the auth header and not reject, then
let DMARC
evaluate and decide to reject or not.
DMARC will look for any DKIM signatures and if a signature is valid
DMARC
will accept the email even when SPF fails due to forwarding.
No. If SPF fail DMARC will fail too.
No. If DKIM passes then DMARC should too (ncessary and sufficient).
Wietse
Yes, necessary and sufficient, but any fail will result in a final
fail : If SPF none & DKIM pass => pass. If SPF fail, it will fail even
if DKIM passes.
RFC7489, section 6.6.2, 4) an 5)
Especially "All other conditions (authentication failures, identifier
mismatches) are considered to be DMARC mechanism check failures."
No SPF is OK, but as long as the domain of RFC822 MAIL FROM address
has a SPF, this SPF must pass.
On top of that DMARC will check the alignment of this domain with the
domain of the RFC5322 From address with the published DMARC policy SPF
requirement (aspf) strict or relaxed.
For to address the forwarding problem, you should add ARC to the sending
and verifying stack, It was designed specifically for that, but not
widely used, it is pretty experimental.
Emmanuel.
