Re: [dmarc-ietf] Ticket #1 - SPF alignment

Alessandro Vesely <vesely@tana.it> Sun, 31 January 2021 12:01 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DE303A0CAC for <dmarc@ietfa.amsl.com>; Sun, 31 Jan 2021 04:01:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.121
X-Spam-Level:
X-Spam-Status: No, score=-2.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bmvjhJ0teznx for <dmarc@ietfa.amsl.com>; Sun, 31 Jan 2021 04:01:41 -0800 (PST)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3644F3A0CA2 for <dmarc@ietf.org>; Sun, 31 Jan 2021 04:01:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1612094496; bh=FAPA/0tXnTBl2nHjZ5ib6j6pZumSMVh+iX3C+ZfpYQc=; l=1139; h=To:References:From:Date:In-Reply-To; b=CWWHarhaqNm+IT+odI+9b94AVq+lTRuB9Pz/5c8UrD3yxdNzQy8cpyFgEER0NHfnU HPjpWF7z/xfKs5oHq45zlpt/t6bIK8Bh+Ns2ejBv1ye7qZDw+kfFEpIOtO7gv/8XXC LFFTf/zQn7rAOxjdtTlyMxUqCNFmsrHak8t5HPdO44iHOzlsY11xWcR6OD1Cd
Authentication-Results: tana.it; auth=pass (details omitted)
Original-From: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC053.0000000060169C20.0000585F; Sun, 31 Jan 2021 13:01:36 +0100
To: John R Levine <johnl@taugh.com>, Jim Fenton <fenton@bluepopcorn.net>, dmarc@ietf.org
References: <20210130212339.447316D04763@ary.qy> <66EB1EFC-753D-49FA-8652-BABB10397990@bluepopcorn.net> <1edea785-2420-9812-643-c38bc4bf9577@taugh.com>
From: Alessandro Vesely <vesely@tana.it>
Message-ID: <16d8c498-9eb2-78c7-1cd3-e390c3e4d3cb@tana.it>
Date: Sun, 31 Jan 2021 13:01:35 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <1edea785-2420-9812-643-c38bc4bf9577@taugh.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/lJSVDeeHP5FVKe8NuNhcwfJ7K0A>
Subject: Re: [dmarc-ietf] Ticket #1 - SPF alignment
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Jan 2021 12:01:43 -0000

On Sat 30/Jan/2021 22:57:44 +0100 John R Levine wrote:
> 
> Part of the problem here is that DMARC generally sits on top of an SPF library 
> which doesn't tell you how it got its result.  My DMARC code just calls the SPF 
> library and uses the result.  I suppose I could put in a hack to say don't use 
> the SPF result if the MAIL FROM is null, but I don't think that's what 7489 says.


One way to interpret RFC 7489 is that you can put dmarc=pass based on the helo 
identity *only if* MAIL FROM is null.  So the hack there is a bit more tricky. 
  You want to use the SPF result only if MAIL FROM is null, except in cases 
when you authenticate based on MAIL FROM.  That's idiosyncratic!



On Sat 30/Jan/2021 20:59:13 +0100 Jim Fenton wrote:
> The fact that a message sender can put anything there makes HELO basically
> meaningless.


Here "message sender" has to be a mail server admin.  Compare with MAIL FROM, 
where "message sender" is the actual author submitting a message.  How come 
that the same assertion being more widely true for MAIL FROM doesn't make the 
latter basically meaningless?



Best
Ale
--