[dmarc-discuss] Co-ordinating recipient policy?
madkins at fb.com
Tue Jan 31 08:13:05 PST 2012
On 1/31/12 7:43 AM, "David Woodhouse" <dwmw2 at infradead.org> wrote:
>Let me introduce my imaginary friend Fred. Fred is mail administrator
>like the one described above. His systems receive lots of forwarded
>mail, and he refuses to implement a policy of rejection for SPF
>"failure". If he did that, his users would lose valid incoming mail, and
>they would quite rightly complain.
>What motivation does Fred have to honour a DMARC record, if it
>implicitly includes SPF in its validation? How does DMARC persuade him
>to fall into line with others in his receiving policies?
I appreciate the amount of thought you've put into studying our spec on
the first day!
I think perhaps we haven't clearly explained how SPF interacts with DMARC.
If I understand your concern, you believe that DAMRC's use of SPF will
lead to unacceptable false positives. Please refer to section 7,
specifically "DMARC-compliant Mail Receivers MUST disregard any mail
directive discovered as part of an authentication mechanism (e.g., ADSP,
SPF) where a DMARC policy is also discovered." The only SPF result that
DMARC concerns itself with is 'pass'. A mail system that implements DMARC
must not act on SPF hard or soft fail results for domains where it finds a
DMARC record, otherwise it would indeed lead to false positives due to
things like forwarding and DMARC would have basically inherited all of
SPF's reliability issues without compensating for them.
The problems caused by forwarding is one of the big reasons why we wrote
DMARC to require that only one of the underlying mechanisms pass. In this
case, we expect that DKIM will survive forwarding intact and provide that
single 'pass' result that DMARC requires.
More information about the dmarc-discuss