Re: [dmarc-ietf] Ticket #1 - SPF alignment

Douglas Foster <> Wed, 03 February 2021 00:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 031D33A10AD for <>; Tue, 2 Feb 2021 16:30:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id CeP_PpU6Zd6v for <>; Tue, 2 Feb 2021 16:30:36 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::e2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 400913A10AB for <>; Tue, 2 Feb 2021 16:30:36 -0800 (PST)
Received: by with SMTP id b10so6111014vsa.8 for <>; Tue, 02 Feb 2021 16:30:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=3blrH9Lx/RE+ug9CHDVFOev8r3zmd3xZlhiRvEbGLS0=; b=lLT+kwHeiFqiuwuqGPCcGhvvT1u3e2NLsoSCwQSJTBquW68wM6TVmEwX1a8s/is41/ XkYMjX7d1SQiKd3OdM1Em/bWmk1FQxaPYM2iODLbKFcYaGjVyK07JBepXyXwLEZAr3Yj JYgsmafM96wrTDlMZYn34b3XH79pE0tEr2up6Z1xq94A2MEaaKlH6IeBQ4Mcuev882TD nj1TXvXGGtjD/lmpssr7xpjOb5zIEvri2DflAc8J1bMU05U4BETHBCtFry7U2bF9AIjA B9w0XkXr7mAig6M+Umg8eEk5YeQRe+gGK4K3QvgKdtgpQyw6b+Rao8z5yq4kotLSOTmK jmLw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=3blrH9Lx/RE+ug9CHDVFOev8r3zmd3xZlhiRvEbGLS0=; b=pr/fXiBlYcEj33OWXgWh8NDKWxeDTqHxO7BBgIlUOL3FHzCeRrnUJHfb00sX29KuYM spIzFJxztDpaXL5Fj/l+EZ8gPXx19W+eCEblt1sed9GaXr/48cDE2CyHLa/BCy3+kG+g AOS0Zj7f91v9Du3uGW4H2b/IOUHhUTfowj2OAKIZYf152qZrpqLWXYmKMMGjNdjMmCW0 0CHx6xCQkU3SlxIB2FHUzbEy1kxLaGIiJ8Yaaysudt8HCrLRMo7TB/EKHcPL2XGGqlpB y8AviH85yNB/dnTzhgcrKvLY3OjDQB7tNRD8WzittL2jVZxkpAFC9hXF4B1cGXJnGI7V 4CXQ==
X-Gm-Message-State: AOAM532ef9CqT3EisPh3RrfoZiPkYFsXt+SRAV2ERgbqtgMOjECcW5qi wsKQUE0Y8h9bst7Ap1dnWYoe+OfDZxcgk7Dk+MWg7NJGxHOcJQ==
X-Google-Smtp-Source: ABdhPJzErOnDJMzO/11HAL/4CpITu7KTBSXEICTkPKnU56PVRbVEhGFnTe4tzcdsBSFOYqCODkn3/EhByQcTazHgPBs=
X-Received: by 2002:a67:c29e:: with SMTP id k30mr235570vsj.45.1612312235016; Tue, 02 Feb 2021 16:30:35 -0800 (PST)
MIME-Version: 1.0
References: <20210201231154.DAE426D208E1@ary.qy> <>
In-Reply-To: <>
From: Douglas Foster <>
Date: Tue, 2 Feb 2021 19:30:23 -0500
Message-ID: <>
Content-Type: multipart/alternative; boundary="00000000000009051705ba63b2ab"
Archived-At: <>
Subject: Re: [dmarc-ietf] Ticket #1 - SPF alignment
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 03 Feb 2021 00:30:38 -0000

Yes, it is true that the spec says

    If a conclusive determination about the
    message can be made based on a check of "HELO", then the use of DNS
    resources to process the typically more complex "MAIL FROM" *can* be

However, it carefully avoids defining "definitive", which means the
interpretation of "definitive" is site-specific.   To my interpretation,
"definitive" means a local policy to whitelist or blacklist based
exclusively on the HELO parameters.   Such as decision will certainly allow
other operations to be omitted.

This interpretation is supported by the previous paragraph:

   It is RECOMMENDED that SPF verifiers not only check the "MAIL FROM"
   identity but also separately check the "HELO" identity by applying
   the check_host() function (Section 4
<>) to the "HELO"
identity as the

and the subsequent paragraph:

     SPF verifiers MUST check the "MAIL FROM" identity if a "HELO" check

   either has not been performed or has not reached a definitive policy
   result by applying the check_host() function to the "MAIL FROM"
   identity as the <sender>.

We really have two different tests, which appear in the same document
because they exploit the same technology.

The limitations of Received-SPF become very conspicuous and problematic:

- The identifiers are only provided in comment text, which is optional
and has been omitted in the wild.

- Although comment text implementations appear to be standardized,
this is still less reliable than structured data.

- Even when the comment text can be parsed, only domain names are
provided, and the test type is not documented,

so there is no way to know whether the result is based on HELO or SMTP Address.

- Received-SPF needs to report two results for entities which perform
both tests, but multiple results simply create ambiguity..

- The Received-SPF cannot be linked to a specific Received entry.
The assumption is that it will only be used

 within a single ADMD, where the perimeter is known and all internal
MTAs are trusted.

We have integrated Received-SPF into A-R without improvement, and A-R
has been integrated into ARC without significant redesign.

Then we are hoping that a third-party organization will trust an ARC
which is based on this weak foundation.