Re: [dmarc-ietf] Ticket #1 - SPF alignment

Alessandro Vesely <> Tue, 26 January 2021 16:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 188293A0A63 for <>; Tue, 26 Jan 2021 08:47:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.221
X-Spam-Status: No, score=-0.221 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1152-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gyY_-Qlzo-0f for <>; Tue, 26 Jan 2021 08:47:55 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 24FAB3A0A4C for <>; Tue, 26 Jan 2021 08:47:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=delta; t=1611679672; bh=liNs2TtN2Aod49sRH9uuXPCrnYQ7wZITOMvl5eneQ0w=; l=2682; h=To:References:From:Date:In-Reply-To; b=Bg+FvQ85UhSmVt+SqRhMv4Dxsl95szOMF4YxNSePCkGsPmRvaVR6tUIvOe6jLkNvy sLeSAWGNml1rb1vh3qhEc10FQ970xOsXCioAJz20nCgs9k9Vr67ixlzGHG8/9ki6P0 Hh+IJPL8AaUig8BtBFbtvf1+0F9wmzOnr2U60eGlEk8ZqUumQ15j7ILOgWNyj
Authentication-Results:; auth=pass (details omitted)
Original-From: Alessandro Vesely <>
Received: from [] (pcale.tana []) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by with ESMTPSA id 00000000005DC028.00000000601047B8.00006497; Tue, 26 Jan 2021 17:47:52 +0100
References: <> <1627293.fjaifilARp@zini-1880> <> <1859075.lZWC7Mh21l@zini-1880>
From: Alessandro Vesely <>
Message-ID: <>
Date: Tue, 26 Jan 2021 17:47:51 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <1859075.lZWC7Mh21l@zini-1880>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [dmarc-ietf] Ticket #1 - SPF alignment
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 26 Jan 2021 16:47:57 -0000

On Tue 26/Jan/2021 14:14:45 +0100 Scott Kitterman wrote:
> On Tuesday, January 26, 2021 6:54:56 AM EST Alessandro Vesely wrote:
>> On Mon 25/Jan/2021 22:35:09 +0100 Scott Kitterman wrote:
>>> On Monday, January 25, 2021 4:04:33 PM EST Todd Herr wrote:
>>>> May I propose that the section labeled "SPF-Authenticated Identifiers" be
>>>> rewritten as follows:
>>>> [...]
>>>>    The reader should note that SPF alignment checks in DMARC rely solely
>>>>    on the RFC5321.MailFrom domain. This differs from section 2.3 of
>>>>    [@!RFC7208], which recommends that SPF checks be done on not only the
>>>>    "MAIL FROM" but also on a separate check of the "HELO" identity. >
>>> I think this is fine, but there is a subtlety to be aware of.
>>> If you look at RFC 7208 Section 2.4, when Mail From is null,
>>> postmaster@HELO is the mail from for SPF purposes.  DMARC really can't
>>> change that.
>>> As a result, there are cases where Mail From results actually are derived
>>> from HELO and it's unavoidable.
>> I doubt that SPF filters report envelope-from=postmaster@HELO; more likely
>> they write helo=HELO.  In that case, the paragraph quoted above is
>> deceptive.
>>> I believe the proposed text is clear enough about not using separate HELO
>>> identity results and that's appropriate.
>> My filter collects SPF results recorded from an upstream SPF filter.  It
>> writes Received-SPF: lines for each identity.  For NDNs, it writes a
>> Received-SPF: for the HELO identity only.  Am I allowed to use that result
>> for DMARC?
> No.  You should only use Mail From results.

So NDNs having only an aligned HELO will never pass DMARC?

And what is a <scope>helo</scope> element in aggregate reports provided for?

The spec says:

          [SPF] can authenticate either the domain that appears in the
    RFC5321.MailFrom (MAIL FROM) portion of [SMTP] or the RFC5321.EHLO/
    HELO domain, or both.

And then:

    In relaxed mode, the [SPF]-authenticated domain and RFC5322.From
    domain must have the same Organizational Domain.  In strict mode,
    only an exact DNS domain match is considered to produce Identifier

So, consider the following message without DKIM signatures:


Received-SPF: pass (domain
   designates as permitted sender)
Received-SPF: fail (domain of
   denies as permitted sender)
   identity=mailfrom; envelope-from="".com";
Subject: Not using a mail client for this example

Does it pass DMARC?