Re: [dmarc-ietf] auth-res vs. dmarc
Michael Thomas <mike@mtcc.com> Tue, 29 December 2020 16:38 UTC
Return-Path: <mike@fresheez.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F6F83A0C6B for <dmarc@ietfa.amsl.com>; Tue, 29 Dec 2020 08:38:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FTRUEB5bhMqm for <dmarc@ietfa.amsl.com>; Tue, 29 Dec 2020 08:38:41 -0800 (PST)
Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 664063A0C64 for <dmarc@ietf.org>; Tue, 29 Dec 2020 08:38:41 -0800 (PST)
Received: by mail-pf1-x432.google.com with SMTP id h10so7295806pfo.9 for <dmarc@ietf.org>; Tue, 29 Dec 2020 08:38:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc.com; s=fluffulence; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=yXvPkcmgJkXj4XsZGw9NeolrOkYdiV52U1D3FXTtWZ8=; b=GJ3FEy4xMlqkNrxnZU+b47J/j5j/0BF7fPZczXFdtW9txOXXyrw5OzQv0NUKKvf2DA dBgt2VRqqgDd18Un3eFe+3XpfGFB0ohq20bDtf5irA5QEt/avpEWYUk6V6QL2+ATmlaX nMXwRC+jxC7Zm9vFm8o3ojS6G5utkbvd7bvifIVfBvtjArSuhkOXce5rRQSkdJPho4OX d+hbvZOARJevvGWL4pZepikeUAESdt51Ccr4fnAqK21GfMwc8V4GIm7o6uRQSJa1ij4K sF7lkjBLrgH6k0Yl03WyhoVwLPQjZDEpZzYYK0iAqJLAhwQTe45kT9A8V7cIV7utxaqj iPfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=yXvPkcmgJkXj4XsZGw9NeolrOkYdiV52U1D3FXTtWZ8=; b=X5ZFaz4yi025VikU9CaSX7iwjUe12JguQcctHValjziKkFke6DyRlTe/7ShQ1qEPB1 ouIlye3VdWANb2xed6HpGA+EDHiVAHvZAF+sM3axnQg4eoC1ZnIGlmk+luPowA8hGoCs frisQjHeTTdYKbDkXTGUL0YcnGgS3z9fedceMYuZzGktX2gmobNYZkrIZj4jRaz1kqWx hurUXhGBrl4WXjtRX1t28AlEgxHBM1Yd2C+HBi2uQT8k+LrGBAYjbZEf3ChJ4VzN43L4 u2OmGGupVP7gSQbq0a8E6IOaIQhqhJajJNf7b150O6o8w+72m3d4obM0F2oQDhthUpsh Mi3g==
X-Gm-Message-State: AOAM531Q/eYRE/kUwxRO7MVBbWpJKpe5hdV/BIZkBrsecggMIn/dDC1P B96Oazun2xdz1fGecZm3OIKQcnnmmG9MFA==
X-Google-Smtp-Source: ABdhPJzDrEu9wOlrMyduiR1jrb4hiphUKP52ohYlB1BbihMZjp57R5aT9rTzNo26ArqcWr6cGQDdTQ==
X-Received: by 2002:a63:1f10:: with SMTP id f16mr44339831pgf.111.1609259920342; Tue, 29 Dec 2020 08:38:40 -0800 (PST)
Received: from mike-mac.lan ([107.182.37.0]) by smtp.gmail.com with ESMTPSA id h1sm28129117pgj.59.2020.12.29.08.38.39 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 29 Dec 2020 08:38:39 -0800 (PST)
To: Todd Herr <todd.herr@valimail.com>
Cc: "dmarc@ietf.org" <dmarc@ietf.org>
References: <9f6782b1-e85b-1a9c-9151-98feff7e18ea@mtcc.com> <CAHej_8m0OWsTt+tcSgUh+Fxu=HH_57nsb2O1Q_fgA2453ceh4g@mail.gmail.com>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <140485eb-020f-4406-3f2f-e2c475ea51e5@mtcc.com>
Date: Tue, 29 Dec 2020 08:38:38 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <CAHej_8m0OWsTt+tcSgUh+Fxu=HH_57nsb2O1Q_fgA2453ceh4g@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------6768575B4B827AE76B6DB809"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/4MDbIjOoHJLERPsrON_-Iu2IV-c>
Subject: Re: [dmarc-ietf] auth-res vs. dmarc
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Dec 2020 16:38:44 -0000
On 12/28/20 5:17 AM, Todd Herr wrote: > On Sat, Dec 26, 2020 at 6:48 PM Michael Thomas <mike@mtcc.com > <mailto:mike@mtcc.com>> wrote: > > > I installed this handy dandy t-bird dkim verifier extension which > also > allows you to just use the upstream auth-res. After fixing a bug > in it, > I could see that it lists DMARC as a fail when DKIM failed, but SPF > passed. The _dmarc record has p=none, so it seems really odd to call > that a DMARC failure. Shouldn't it just be using the appropriate > p= tag > instead of "fail"? Is this left over from when Auth-res was mainly > for dkim? > > > A DMARC pass verdict requires not only that SPF or DKIM pass, but also > that the SPF or DKIM domain in question align with the DMARC > (RFC5322.From) domain. A message such as the following: > > * Return-Path: <foo@a.net <mailto:foo@a.net>> > * DKIM domain: b.org <http://b.org> > * From: bar@c.com <mailto:bar@c.com> > > Can get an SPF pass for a.net <http://a.net> and have its DKIM > signature validate, but still fail DMARC for c.com <http://c.com> > because neither a.net <http://a.net> nor b.org <http://b.org> align > with c.com <http://c.com>. > > Can you share the example auth-res header(s) in question along with > the DMARC policy record(s) for the message(s)? > Mail from this list is being set to DMARC=fail in the authentication results even with _DMARC is set to "p=none". My mail provider -- google -- is the one that is creating that auth-res. I just looked through DMARC and AUTH-RES (rfc 7601) and couldn't find any guidance as to what qualifies as "fail". Did I overlook something? My feeling is that failure should be reserved only in the case where both SPF and DKIM fail and that the p= > none. What I'd *really* like from a UI standpoint is the p= value passed along as well so I can decide to decorate reject differently from quarantine and none. Mike
- [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Todd Herr
- Re: [dmarc-ietf] auth-res vs. dmarc Hector Santos
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Todd Herr
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Todd Herr
- Re: [dmarc-ietf] auth-res vs. dmarc Laura Atkins
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Todd Herr
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Todd Herr
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Douglas Foster
- Re: [dmarc-ietf] auth-res vs. dmarc Kurt Andersen (b)
- Re: [dmarc-ietf] auth-res vs. dmarc Douglas Foster
- Re: [dmarc-ietf] auth-res vs. dmarc Alessandro Vesely
- Re: [dmarc-ietf] auth-res vs. dmarc Alessandro Vesely
- Re: [dmarc-ietf] auth-res vs. dmarc Todd Herr
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Dotzero
- Re: [dmarc-ietf] auth-res vs. dmarc Laura Atkins
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Todd Herr
- Re: [dmarc-ietf] auth-res vs. dmarc Todd Herr
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Todd Herr
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Dotzero
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Dotzero
- Re: [dmarc-ietf] auth-res vs. dmarc Todd Herr
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Seth Blank
- Re: [dmarc-ietf] auth-res vs. dmarc Hector Santos
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Seth Blank
- Re: [dmarc-ietf] auth-res vs. dmarc Alessandro Vesely
- Re: [dmarc-ietf] auth-res vs. dmarc Todd Herr
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Alessandro Vesely
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Seth Blank
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Seth Blank
- Re: [dmarc-ietf] auth-res vs. dmarc Alessandro Vesely
- Re: [dmarc-ietf] auth-res vs. dmarc Alessandro Vesely
- Re: [dmarc-ietf] auth-res vs. dmarc John Levine
- Re: [dmarc-ietf] auth-res vs. dmarc Murray S. Kucherawy