[opendmarc-dev] draft: patch to implement an override mechanism for MLMs

Juri Haberland juri at sapienti-sat.org
Thu May 26 12:24:38 PDT 2016


On 26.05.2016 17:41, Scott Kitterman wrote:
> On Thursday, May 26, 2016 03:52:02 PM Juri Haberland wrote:

>> I thought for DMARC, a failure report is always sent if authentification
>> fails, regardless of the delivery result (at least section 7.3 of RFC 7489
>> seems to state this).
> 
> You're right, sorry.  The challenge is that the DMARC processing element 
> generally won't know the actual message disposition (it might be rejected or 
> quarantined at some later stage of processing), so I'm not sure how you fill 
> that out accurately at the DMARC stage.

Call it "best effort" ;-) It will report, what it tells the MTA to do -
what the MTA really does, is unknown. But in a typical setup with Postfix
or Sendmail, the MTA will reject the mail if OpenDMARC's implementation of
mlfi_eom() returns SMFIS_REJECT.

What we currently really cannot do is follow the RFC regarding the required
DKIM-Domain, DKIM-Identity, DKIM-Selector and SPF-DNS header fields:
DKIM-Domain and DKIM-Identity are doable and would require only moderate
changes, but DKIM-Selector and SPF-DNS (especially the TXT or SPF RR) are
completely unknown to OpenDMARC unless we use the internal SPF code and
additionally implenment an internal DKIM code for the DKIM-Selector header
field ...

  Juri



More information about the opendmarc-dev mailing list