[Mailman-Users] Mailman, DMARC and OpenDKIM

Mark Sapiro mark at msapiro.net
Sun Apr 27 21:14:39 CEST 2014 

On 04/27/2014 11:00 AM, Richard Damon wrote:

> One question I have had over how this works is why SPF is added to the
> mix. If the message passes SPF, then it has come directly from a server
> that is supposedly controlled by the sending provider. Said server
> should have been able to DKIM sign the message, so you should never see
> a message that passes SPF but fails DKIM.


SPF applies to the domain of the envelope sender, not the From: address.
It only says that the server that delivered this message is authorized
(or not) for the domain of the envelope sender.


> Was that option just put in to allow an organization to just implement
> SPF (and ignore DKIM), but change SPF to require the alignment to From: ?


I think the intent is that any domain that implements a DMARC policy
will both publish SPF and DKIM sign, but the draft spec explicitly
allows for the sending domain to not do both[1].

For a DMARC test to succeed either SPF must pass and the SPF domain must
align with the From: domain or there must be a valid DKIM signature with
a d= domain aligned with the From: domain.

Note that this doesn't represent any change in either SPF or DKIM. It is
just an additional requirement on the domains of these tests.

So, if a relay modifies the domain of the envelope sender, e.g. like
most mailing lists changes it to some bounce at my.domain, SPF may pass,
but the domains won't align. For SPF to allow the message to pass DMARC
validation, the envelope sender's domain must align with the From:
domain and the server which delivered the mail to the recipient MTA must
be authorized by the SPF of the envelope sender's domain.

[1] From sec 10.2 of the draft spec.
   Heuristics applied in the absence of use by a Domain Owner of either
   SPF or DKIM (e.g., [Best-Guess-SPF]) SHOULD NOT be used, as it may be
   the case that the Domain Owner wishes a Message Receiver not to
   consider the results of that underlying authentication protocol at
   all.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list