Re: [dmarc-ietf] Ticket #1 - SPF alignment

John R Levine <> Sun, 31 January 2021 16:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C0F403A10FC for <>; Sun, 31 Jan 2021 08:52:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key) header.b=ZpkDKETw; dkim=pass (2048-bit key) header.b=lITUjCKt
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Nb-bDX4ys7d9 for <>; Sun, 31 Jan 2021 08:52:13 -0800 (PST)
Received: from ( [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 440343A10FA for <>; Sun, 31 Jan 2021 08:52:12 -0800 (PST)
Received: (qmail 71855 invoked from network); 31 Jan 2021 16:52:12 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple;; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type; s=118ab.6016e03c.k2101; bh=L9yM6koyTeSy0C+p3+3SB/U+xVqj/fkAiUhFMJvtZUw=; b=ZpkDKETwe6VfEwRQwiR2nqKGdxmajBuamNR9k1Wc55faxoDLYqsIAk9VozYOra/s9wQ/rPWSqITAPNCOyN3qZCGkmkvyc6bvUnomtom8PLPEvZdnWcJZq2CKqFmxWsH1UB4+qma5aHnOYgPC66VHv3vqPKtskUUoP36RwdWMvTkaJHz+2IR0tBui10cdpVZsA7ktYpGBv+rAfYnv3cJ63z67KlneX6ZZ4GmSN45bB7U4dwO36MFmTLmrpimSbGmIFswMblTHq1ANou7qVTlCUdVtsSKcvhyh0sB0rX7CPZ+gzhKcEJhSbxf0c7RcEng8iPWFDrT6HXxjLzyOm2upYw==
DKIM-Signature: v=1; a=rsa-sha256; c=simple;; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type; s=118ab.6016e03c.k2101; bh=L9yM6koyTeSy0C+p3+3SB/U+xVqj/fkAiUhFMJvtZUw=; b=lITUjCKtNGOD1QIOSjJYCUB/AAQiAl2NwXFphK0D8axtTR6p06B5KEN1UKLy3Lf9iXa/KlTjlY2zUD9dtJi9mKGpu/Y8mGFxWO4Ptg9tvTHJoqk3t0oY6FXKh7QaA/jOhlsCgnyeze4F0ZwFe7qA8Vy/QiTuShqe2xzBR7ma+SiQEr8AQuzHC3ZwrCDeAht/qJE7j8S5Ljn0BQz/0DzQMkmSPzwCGENbjMuOjrcUCVdPkW0PSUGHH1aOX8XFVSazWD5YBQ34SoWEaFsEKRdrMjBJatOQv+9AG07r4HvumWXttgsuwG3JWcgNe31BlElSBJVhxuq/nQCrZJsQItliJw==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 31 Jan 2021 16:52:11 -0000
Received: by ary.qy (Postfix, from userid 501) id 3E56B6D0FAF5; Sun, 31 Jan 2021 11:52:10 -0500 (EST)
Received: from localhost (localhost []) by ary.qy (Postfix) with ESMTP id F38006D0FAD7; Sun, 31 Jan 2021 11:52:10 -0500 (EST)
Date: 31 Jan 2021 11:52:10 -0500
Message-ID: <>
From: "John R Levine" <>
To: "Alessandro Vesely" <>, "Jim Fenton" <>,
In-Reply-To: <>
References: <20210130212339.447316D04763@ary.qy> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <>
Subject: Re: [dmarc-ietf] Ticket #1 - SPF alignment
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 31 Jan 2021 16:52:16 -0000

On Sun, 31 Jan 2021, Alessandro Vesely wrote:
> One way to interpret RFC 7489 is that you can put dmarc=pass based on the 
> helo identity *only if* MAIL FROM is null.

That would be consistent with 7489.

Sec 3.1.2 says

    Note that the RFC5321.HELO identity is not typically used in the
    context of DMARC (except when required to "fake" an otherwise null
    reverse-path), even though a "pure SPF" implementation according to
    [SPF] would check that identifier.

But then 4.1 says

    o  [SPF], which can authenticate both the domain found in an [SMTP]
       HELO/EHLO command (the HELO identity) and the domain found in an
       SMTP MAIL command (the MAIL FROM identity).  DMARC uses the result
       of SPF authentication of the MAIL FROM identity.  Section 2.4 of
       [SPF] describes MAIL FROM processing for cases in which the MAIL
       command has a null path.

That section of 7208 says that if there's a null bounce address, SPF 
pretends that the MAIL FROM was postmaster@HELO.

If we want, we can say not to use the SPF HELO identity, but that would be 
an incompatible change to 7489 and I suspect would not match what most 
DMARC checking code does.

John Levine,, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.