Re: [spfbis] Result of record evaluation with non-implemented mechanism
Scott Kitterman <spf2@kitterman.com> Wed, 13 January 2016 03:56 UTC
Return-Path: <spf2@kitterman.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B94E1B2CE8 for <spfbis@ietfa.amsl.com>; Tue, 12 Jan 2016 19:56:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fv0YOikxSbnY for <spfbis@ietfa.amsl.com>; Tue, 12 Jan 2016 19:56:30 -0800 (PST)
Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [IPv6:2607:f0d0:3001:aa::2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D0E41B2CE7 for <spfbis@ietf.org>; Tue, 12 Jan 2016 19:56:29 -0800 (PST)
Received: from kitterma-e6430.localnet (static-72-81-252-21.bltmmd.fios.verizon.net [72.81.252.21]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id AFAC5C405C9 for <spfbis@ietf.org>; Tue, 12 Jan 2016 21:56:28 -0600 (CST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=201409; t=1452657388; bh=hl/ItDos+IXiWvmTLlP67gH/GGzbZOJeOMf0MmtnVO0=; h=From:To:Subject:Date:In-Reply-To:References:From; b=y70vTwDnUkVrlxUCl3o5r9du7kn+Uv5zTMBN1ebBDfNQU1Srp575PsiJD4sbYo0vj q9aXLALAvwZ/LrytKPJZhsduyzw8wKGV6RINgzG5/JrDqN2y1xWoMKa9K8gxRbbIlN t5VGN2GQnK0t8Pf9clwqXVx3UqPWLK+8EdfxcMNA=
From: Scott Kitterman <spf2@kitterman.com>
To: spfbis@ietf.org
Date: Tue, 12 Jan 2016 22:56:28 -0500
Message-ID: <1880087.thFNaSE3HX@kitterma-e6430>
User-Agent: KMail/4.13.3 (Linux/3.13.0-71-generic; KDE/4.13.3; x86_64; ; )
In-Reply-To: <5695253F.6060702@tana.it>
References: <5695253F.6060702@tana.it>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <http://mailarchive.ietf.org/arch/msg/spfbis/RpLq0_oafluMUZCNivXnOM2YO0A>
Subject: Re: [spfbis] Result of record evaluation with non-implemented mechanism
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jan 2016 03:56:31 -0000
On Tuesday, January 12, 2016 05:09:35 PM Alessandro Vesely wrote: > Hi, > RFC 7208 doesn't seem to be very clear on the requirements for "exists" > mechanisms. I don't know if that deserves an errata. > > The spec defines mechanisms, but Section 4.6.4 "DNS Lookup Limits" does not > mention "exists", while Section 5.7 "exists" does not mention return values. > > OTOH, dmarcian reports that "exists" mechanisms are not fully supported by > all high-volume receivers. In fact, google.com returns permfail for the > record in the first bullet of Appendix D.1, unless a match is found before > "exists". > > According to Section 2.6.7 "Permerror", Google signal an error condition > that definitely requires DNS operator intervention to be resolved. Tools > which parse DMARC aggregate feedback correctly report an issue, to no avail > :-O > > You see, SPF receivers are divided into two categories: those with a loaded > check_host() function and those who never reject on fail. Google never > reject on fail. Why do they return permerror, then? Wouldn't "none" be > fine? > > 4.6.2. *Mechanisms* > > The second paragraph there may be a good point to pin an errata: > > OLD > When a mechanism is evaluated, one of three things can happen: it can > match, not match, or return an exception. > > NEW > When a mechanism is evaluated, one of three things can happen: it can > match, not match, or return an exception. Non-implemented mechanisms > MUST NOT return an exception. > > Better ideas? The way the RFC is designed, mechanisms aren't optional. What you're asking for is not something that should be done via errata. 4.6.2 is correct and exists is no different than any other mechanism. Scott K
- [spfbis] Result of record evaluation with non-imp… Alessandro Vesely
- Re: [spfbis] Result of record evaluation with non… Scott Kitterman
- Re: [spfbis] Result of record evaluation with non… S Moonesamy
- Re: [spfbis] Result of record evaluation with non… Tim Draegen
- Re: [spfbis] Result of record evaluation with non… Alessandro Vesely
- Re: [spfbis] Result of record evaluation with non… Alessandro Vesely