Re: [dmarc-ietf] nit - data integrity

Hector Santos <> Sat, 15 June 2019 18:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7A8081200A4 for <>; Sat, 15 Jun 2019 11:39:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key) header.b=aKskbd6i; dkim=pass (1024-bit key) header.b=K/TNazUg
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id E2unCg9GjMSN for <>; Sat, 15 Jun 2019 11:39:57 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 1ABE8120019 for <>; Sat, 15 Jun 2019 11:39:56 -0700 (PDT)
DKIM-Signature: v=1;; s=tms1; a=rsa-sha1; c=simple/relaxed; l=1573; t=1560623989;; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=JpdUnajkc2X7l0EutDTGGqAtvSo=; b=aKskbd6inyuXfUphFjweiH1OL60IhY1rbyOUt2QcfG5QByY5ztO1e2k446ECt4 ui6csYVCCrsvniOBVH2QuAhavRaf0DBjE2xtJfogy7t648+2NBIJvJfp5j4gYz3M 6GqILmwjKvplS5GHz+YUe91A2J8SVFHcxq7dmjZkkdmlc=
Received: by (Wildcat! SMTP Router v8.0.454.8) for; Sat, 15 Jun 2019 14:39:49 -0400
Authentication-Results:; dkim=pass header.s=tms1;
Received: from ([]) by (Wildcat! SMTP v8.0.454.8) with ESMTP id 1416424807.25538.1124; Sat, 15 Jun 2019 14:39:48 -0400
DKIM-Signature: v=1;; s=tms1; a=rsa-sha256; c=simple/relaxed; l=1573; t=1560623782; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=qwyXpab Z64ayQz9B3CmCBgbeqMfF+lYwDSOTdTbXCJI=; b=K/TNazUgb+hM92hU4URnC8Z kma4Vj/vpqo/5SxbuuLPUVi7FfHr3BNHG0NQH/iv4/Pd27LgzhMomXZBKRJHo4Ni tq63IK9rBigSfAnyVmITqtwPQrEwUQ18Tm4qcSLknfeHhBYzswyO1viExDmKziB4 PhaZz+MsQ6WWIOAKD2OY=
Received: by (Wildcat! SMTP Router v8.0.454.8) for; Sat, 15 Jun 2019 14:36:22 -0400
Received: from [] ([]) by (Wildcat! SMTP v8.0.454.8) with ESMTP id 2988637145.9.235216; Sat, 15 Jun 2019 14:36:21 -0400
Message-ID: <>
Date: Sat, 15 Jun 2019 14:39:52 -0400
From: Hector Santos <>
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [dmarc-ietf] nit - data integrity
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 15 Jun 2019 18:40:00 -0000

On 6/14/2019 9:34 PM, wrote:

> The suggestion: provide guidelines on data integrity, which data
> providers should follow.
> Examples:
> - raw SPF 'fail' should never result in DMARC-SPF 'pass'
> - raw SPF 'pass' out of alignment with header_from should never result
> in DMARC-SPF 'pass'
> - raw DKIM not being shown should never result in DMARC-DKIM 'pass'
> etc
> I'm not saying that these situations don't occur for legitimate
> reasons, but the DMARC result is a logical evaluation.  If the result
> of that evaluation is other than the receiving system wants to apply,
> then all of the correct evaluations should still be listed, but the
> disposition can change, and local_policy explain.
> Is this something which can be simply stated in the specification, or
> would it belong solely in a 'DMARC XML generator BCP' document?

Reasons for sending reports?

What I think you are saying is:

If a domain's DMARC restrictive policy is going be overridden by local 
DMARC policy, then a DMARC report should be sent to the DMARC domain 
providing the DMARC technical reasons why DMARC failures were not 
rejected but instead accepted and passed to the user's eyeballs or 

I think I would interesting to know which DMARC receivers are 
accepting what are otherwise DMARC rejectable failures.  A lawyer 
might be interested too, in the off chance an innocent user was 
damaged by the receiver's local DMARC policy.  The DMARC domain did 
its part. The DMARC receiver did not. <g>