Re: [dmarc-ietf] ESC for Failed DMARC Validation

Дилян Палаузов <> Fri, 02 August 2019 20:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7116C120822 for <>; Fri, 2 Aug 2019 13:19:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (4096-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fjjLpIlbsKLB for <>; Fri, 2 Aug 2019 13:19:32 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6AF7012080D for <>; Fri, 2 Aug 2019 13:19:30 -0700 (PDT)
Authentication-Results:; auth=pass (LOGIN) smtp.auth=didopalauzov
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=k4096; t=1564777167;; r=y; bh=/lDEnu2LhVmQu5SQzr1X6BDsMavlK05y2XddwAu2BKI=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=B4WnfOSKy1zf4VV0Cn6/INese/xMkPWBQuqNJUi6zxVOMYTMioU29kRCvDABgLYpo ITAhKDWj5MOyDzgEmNsZvba8C3o+AAEA2gtNtXEy45pInijruh4UKSrY+XTNv5925W fpUsjYn3hBTlJaTm2c8UUJggCuAP1Yr1tBibI4Xc7CwmVbvChAhto3ltrjHBFeRC+e SVvPlb6EffuruXC65BbXkD8T8e6CmCm/OFGuP6/sOvbzA6Qgb8GlqfJU322pAP2QEF NNAgsIJ7XMWyq58HPxUNInnwBdP7HMXon3MV66z3wBHBV8A5JPNnQ8e1k3qwJpBcQX a3XywS4xOqT4Tbjvp9GonBEQxg8SrmKeNYpLVzW/P0tXKQMcpjdvEnmx8Y7JgbMquP 98yrY/8yZVzDINdGY2AWdV4BsvdASDxyff936hT9asg2oBu8tn1QCp77dhg+WtzZ9D /PzZYjp01cweL2UhV5+bb+pkU+seew0kPt+myW9zmaO6yUcwRbx1elkj5V9yLfz8bk MpjBq5Hhd6YXcFG6hiijAJdJhO4Uqqg/5P1o58swbkRWUCCIokk2QZeafGa6sdcSPQ uwgK8HNV5Wuk0mVjOf45fN/vpaOXKTWQXl26nd3XSnb9peNJM8n6j+5G4Yb7PBiU5H 1+NbxPiEqGx5zozuqy4La9ek=
Authentication-Results:; dkim=none
Received: from Tylan ( []) (authenticated bits=0) by (8.15.2/8.15.2) with ESMTPSA id x72KJQBX030953 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Fri, 2 Aug 2019 20:19:27 GMT
Message-ID: <>
From: =?UTF-8?Q?=D0=94=D0=B8=D0=BB=D1=8F=D0=BD_?= =?UTF-8?Q?=D0=9F=D0=B0=D0=BB=D0=B0=D1=83=D0=B7=D0=BE=D0=B2?= <>
To: "Murray S. Kucherawy" <>
Cc: IETF DMARC WG <>, Alessandro Vesely <>
Date: Fri, 02 Aug 2019 20:19:26 +0000
In-Reply-To: <>
References: <> <> <> <>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.33.90
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.101.2 at
X-Virus-Status: Clean
Archived-At: <>
Subject: Re: [dmarc-ietf] ESC for Failed DMARC Validation
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 02 Aug 2019 20:19:40 -0000

Hello Murray,

ESC X.7.20, X.7.21 and X.7.22 are glued to return code 550, while I propose an ESC, that works also with 250.

Apart from this, X.7.20 and X.7.21 cannot be used instead of the proposed X.7.30:

If a site sees a valid DKIM signature, and previous experience with the domain signing DKIM leads to increased trust in
this domain, then the signature is acceptable, but it does not have to align with the From: address.

With X.7.22:

      Description:        This status code is returned when a message
                          contains one or more passing DKIM
                          signatures, but none are acceptable because
                          none have an identifier(s)
                          that matches the author address(es) found in
                          the From header field.  This is a special
                          case of X.7.21. (This violates the advice
                          of Section 6.1 of RFC 6376.)

If “none have an identifier that matches the author address found in the From header field” means, that the DKIM part of
DMARC fails, then this ESC can be recommended by the DMARC specification to signal to the sender, that the DKIM
implementations of sender and receiver disagree, as a light substitute to the failure reports.


On Fri, 2019-08-02 at 13:01 -0700, Murray S. Kucherawy wrote:
> On Fri, Aug 2, 2019 at 10:52 AM Дилян Палаузов <> wrote:
> > I mean an enhanced status code, as at 
> > .
> RFC7372 registered some for exactly this purpose (though not specific to DMARC).  Its Security Considerations section talks about the privacy risks.
> I don't know if they're actually in use.
> -MSK
> _______________________________________________
> dmarc mailing list