Re: [dmarc-ietf] Ticket #1 - SPF alignment
Scott Kitterman <sklist@kitterman.com> Wed, 27 January 2021 14:00 UTC
Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41B913A119B for <dmarc@ietfa.amsl.com>; Wed, 27 Jan 2021 06:00:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_FAIL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=cQCrHRpO; dkim=pass (2048-bit key) header.d=kitterman.com header.b=mz9eUBC1
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nPqJBsYwXypo for <dmarc@ietfa.amsl.com>; Wed, 27 Jan 2021 06:00:31 -0800 (PST)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8B4F3A0C68 for <dmarc@ietf.org>; Wed, 27 Jan 2021 06:00:31 -0800 (PST)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) by interserver.kitterman.com (Postfix) with ESMTPS id 33CB0F80263 for <dmarc@ietf.org>; Wed, 27 Jan 2021 09:00:30 -0500 (EST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1611756029; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=IAElUizHEY+UgkDdhb3sIRYQBupgFdgEap+AixAEyPc=; b=cQCrHRpOOUYi0kuVKSR9gAa/6VAxKggZZf4PRrf5/r0jmJis70izzj3MgTR1UO9Pt38VO Swf76uXEL4EEHD/AA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1611756029; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=IAElUizHEY+UgkDdhb3sIRYQBupgFdgEap+AixAEyPc=; b=mz9eUBC1Walk9CVoxo7I0xdgm8t/8vcV61t/jyHYgJ9/4yvv76jEULvG6Wv8DkLQs0RKG GD1vAosri8cyYTj0tEG50Tr34j+6pRkt3bl4mJqqEhSUJgIRQ0SyX6t9ZOnykYDBRB087Gt Nfuoxlpv6iCQdoGG4vVWZo038ndhjvE53AfwuBTIVjC5l4yu5uJ+R+64j2StV4tUsQ6NYye FXTgj2amblw3b7gCthrLzxYv+Sy7h2SNcoXJWCAQ8Tz8eWbLxArLKy9kRuh0B29X4+DX+uR x6pqmJ1oLmBLf+CXzFIy2jzcCQt+HPTDJQvviP0UMwAofRuvpcLx8LNc85PA==
Received: from zini-1880.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id 8E0AFF80052 for <dmarc@ietf.org>; Wed, 27 Jan 2021 09:00:29 -0500 (EST)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Wed, 27 Jan 2021 09:00:29 -0500
Message-ID: <3776619.NdRDDhGtae@zini-1880>
In-Reply-To: <c39916f8-33f5-9876-c018-53085f5cc8f5@tana.it>
References: <bef64e7a-571b-a73f-dc91-aa402ca320c8@taugh.com> <1655426.E2olI3CrJK@zini-1880> <c39916f8-33f5-9876-c018-53085f5cc8f5@tana.it>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/SncvE3d_Ai63GMqTu8s5xnHtXkE>
Subject: Re: [dmarc-ietf] Ticket #1 - SPF alignment
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jan 2021 14:00:33 -0000
On Wednesday, January 27, 2021 4:49:02 AM EST Alessandro Vesely wrote: > On Tue 26/Jan/2021 23:36:19 +0100 Scott Kitterman wrote: > > On Tuesday, January 26, 2021 11:47:51 AM EST Alessandro Vesely wrote: > >> On Tue 26/Jan/2021 14:14:45 +0100 Scott Kitterman wrote: > >>> On Tuesday, January 26, 2021 6:54:56 AM EST Alessandro Vesely wrote: > >>>> I doubt that SPF filters report envelope-from=postmaster@HELO; more > >>>> likely they write helo=HELO. In that case, the paragraph quoted above > >>>> is deceptive. >>>> > >>>> > >>>>> I believe the proposed text is clear enough about not using > >>>>> separate HELO identity results and that's appropriate. >>>> > >>>> > >>>> My filter collects SPF results recorded from an upstream SPF filter. > >>>> It writes Received-SPF: lines for each identity. For NDNs, it writes > >>>> a Received-SPF: for the HELO identity only. Am I allowed to use that > >>>> result for DMARC? >>> > >>> > >>> No. You should only use Mail From results. > >> > >> So NDNs having only an aligned HELO will never pass DMARC? > >> > >> And what is a <scope>helo</scope> element in aggregate reports provided > >> for?>> > >> The spec says: > >> [SPF] can authenticate either the domain that appears in the > >> > >> RFC5321.MailFrom (MAIL FROM) portion of [SMTP] or the RFC5321.EHLO/ > >> HELO domain, or both. > >> > >> And then: > >> In relaxed mode, the [SPF]-authenticated domain and RFC5322.From > >> domain must have the same Organizational Domain. In strict mode, > >> only an exact DNS domain match is considered to produce Identifier > >> Alignment. > >> > >> So, consider the following message without DKIM signatures: > >> > >> HELO example.org > >> MAIL FROM:<user@example.com> > >> > >> Received-SPF: pass (domain example.org > >> > >> designates 192.0.2.1 as permitted sender) > >> identity=helo; helo=example.org; > >> > >> Received-SPF: fail (domain of user@example.com > >> > >> denies 192.0.2.1 as permitted sender) > >> identity=mailfrom; envelope-from="user@example.com"; > >> > >> Subject: Not using a mail client for this example > >> From: different-user@example.org > >> > >> Does it pass DMARC? > > > > No. > > Let's not be silly, Scott. We have example.org as the SPF-authenticated > domain and it is aligned with From:. Are you saying that the message would > pass if it had an empty bounce address, but since it can bounce it does not > pass?!? All I'm saying is that DMARC only uses mail from results and that's appropriate. I don't think the case of HELO name being aligned, but mail from domain is not is one to worry about. Scott K
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Dotzero
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Kurt Andersen (b)
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Todd Herr
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Todd Herr
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Jim Fenton
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Jim Fenton
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Jim Fenton
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Michael Thomas
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Hector Santos
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Hector Santos
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Jim Fenton
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Dotzero
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Kurt Andersen (b)
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Dave Crocker
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Todd Herr
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Kurt Andersen (b)
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Dave Crocker
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Seth Blank
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine