IETF Logo Mail Archive

Re: [dmarc-ietf] DMARC policy overrides

Matt Simerson <matt@tnpi.net> Tue, 02 July 2013 22:39 UTC

Return-Path: <matt@tnpi.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04C1521F8421 for <dmarc@ietfa.amsl.com>; Tue, 2 Jul 2013 15:39:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4eUcy27osjCD for <dmarc@ietfa.amsl.com>; Tue, 2 Jul 2013 15:39:09 -0700 (PDT)
Received: from mail.theartfarm.com (mail.theartfarm.com [208.75.177.101]) by ietfa.amsl.com (Postfix) with ESMTP id 94CA721F99E3 for <dmarc@ietf.org>; Tue, 2 Jul 2013 15:39:09 -0700 (PDT)
Received: (qmail 82625 invoked by uid 1026); 2 Jul 2013 22:39:08 -0000
Received: from c-76-121-98-64.hsd1.wa.comcast.net (HELO [10.0.1.32]) (76.121.98.64) by mail.theartfarm.com (qpsmtpd/0.93) with (AES128-SHA encrypted) ESMTPSA; Tue, 02 Jul 2013 18:39:08 -0400
Authentication-Results: mail.theartfarm.com; auth=pass (plain) smtp.auth=matt@theartfarm.com; iprev=pass
X-Virus-Checked: by ClamAV 0.97.7 on mail.theartfarm.com
X-Virus-Found: No
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=tnpi.net; h=content-type:mime-version:subject:from:in-reply-to:date:cc:message-id:references:to; s=mar2013; bh=tc3dRqnWtJGfyaW/NxaSIYi6U3FdxoMXOceffeBFl/Q=; b=l93Y5brSkwFuEsYGNZ0h5ikEXyPLV5c0kP51zbS5ohZuyCFoErVe7UcGVcjgs8AcljIQMmIEyMu2RxWMZDBBGgNeKgl9KHdavoZ50Z3kgw15ueO+3hMg18Y/5E8+7ZJpjDvSlgHuEN4MAYls+PixXbJpC09BTNrJuuF9OyithYY3862Ocmb1Aw3hXMN1cLj09X9+WQcoBC63xiar8BNPxjGRtg8wCZwUKy//IXI1Wi4jyYz4rKoy1tQCBjUGLRg9ZR1yQdEHix1/cSzp4wTrdyvzk2C9j/9fMf3H5fXW0eV1vm9BzhG0iQ9H1pclkQixOyXm4pqZklj/Bf5A0adEOw==
X-HELO: [10.0.1.32]
Content-Type: multipart/alternative; boundary="Apple-Mail=_0351DA70-7FCD-400E-ABD9-262909D6EDCE"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Matt Simerson <matt@tnpi.net>
In-Reply-To: <CAL0qLwbYYEjrnnQby9iMFOz1Vm-Azcbu2vVXigMauED+mUwSHw@mail.gmail.com>
Date: Tue, 02 Jul 2013 15:39:06 -0700
Message-Id: <FC955788-3C3A-4A9E-B546-E0B4FA7973CB@tnpi.net>
References: <77426B543150464AA3F30DF1A91365DE533DD678@ESV4-MBX01.linkedin.biz> <51D32B7F.40007@gmail.com> <CAL0qLwbYYEjrnnQby9iMFOz1Vm-Azcbu2vVXigMauED+mUwSHw@mail.gmail.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
X-Mailer: Apple Mail (2.1508)
Cc: Dave Crocker <dcrocker@gmail.com>, dmarc@ietf.org
Subject: Re: [dmarc-ietf] DMARC policy overrides
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jul 2013 22:39:14 -0000

On Jul 2, 2013, at 1:42 PM, "Murray S. Kucherawy" <superuser@gmail.com> wrote:

> I also think it's necessary to consider some current realities.  In an architecture such as the one I use, filters operate serially on the data.  The SPF module runs ahead of DKIM, which in turn runs ahead of DMARC.

That is how I deploy as well.

> If the SPF module decides to act on a "-all" and reject the message, DMARC and DKIM simply can't happen.

SPF just returns a policy result. Whether or not your SPF module decides to reject the message based on that is a function of your module.  It is only your *implementation* that needs to be modified, not SPF.

I use qpsmtpd "out front" and I hacked in a universal 'reject' method that plugins call when they want to reject a message. Each plugin gets to specify a reject type. Most plugins (like SPF & DKIM) have a reject method of deferred, letting all the plugins have a go at the message first. Later plugins can override earlier ones (DMARC can override SPF and/or DKIM, AUTH can override everything, etc). 

> DMARC, by saying SHOULD over SPF, is attempting to require that the SPF module change what it's doing.  That means, at least in my local example, that DMARC is not a pure overlay atop SPF and DKIM.

I run SPF and DKIM with a deferred rejection and then run the DMARC plugin.  If no DMARC policy is published, then the DMARC plugin exits and any deferred rejections get applied later.  If a DMARC policy is discovered, then any SPF and DKIM rejections should be nulled. 

Again, these are implementation issues, not SPF or DKIM issues.

Matt

v2.23.0 | Report a Bug | By Email