[opendmarc-dev] draft: patch to implement an override mechanism for MLMs

Scott Kitterman sklist at kitterman.com
Thu May 26 13:55:32 PDT 2016


On Thursday, May 26, 2016 09:24:38 PM Juri Haberland wrote:
> On 26.05.2016 17:41, Scott Kitterman wrote:
> > On Thursday, May 26, 2016 03:52:02 PM Juri Haberland wrote:
> >> I thought for DMARC, a failure report is always sent if authentification
> >> fails, regardless of the delivery result (at least section 7.3 of RFC
> >> 7489
> >> seems to state this).
> > 
> > You're right, sorry.  The challenge is that the DMARC processing element
> > generally won't know the actual message disposition (it might be rejected
> > or quarantined at some later stage of processing), so I'm not sure how
> > you fill that out accurately at the DMARC stage.
> 
> Call it "best effort" ;-) It will report, what it tells the MTA to do -
> what the MTA really does, is unknown. But in a typical setup with Postfix
> or Sendmail, the MTA will reject the mail if OpenDMARC's implementation of
> mlfi_eom() returns SMFIS_REJECT.
> 
> What we currently really cannot do is follow the RFC regarding the required
> DKIM-Domain, DKIM-Identity, DKIM-Selector and SPF-DNS header fields:
> DKIM-Domain and DKIM-Identity are doable and would require only moderate
> changes, but DKIM-Selector and SPF-DNS (especially the TXT or SPF RR) are
> completely unknown to OpenDMARC unless we use the internal SPF code and
> additionally implenment an internal DKIM code for the DKIM-Selector header
> field ...

The DNS Type SPF is removed in RFC 7208, so you can skip worrying about that.  
Since SPF is only a TXT query, we know the domain, and opendmarc and already 
retrieve TXT records, it probably wouldn't be a lot of effort to do a TXT query 
for the SPF-domain and use the result as SPF-DNS (you'll have to handle the 
case of multiple records being returned and use all that start with "v=spf1 " 
- I say all as I imagine that to capture information about the error case of 
two or more SPF records if there are any, you'd want to stuff them all in SPF-
DNS).

For DKIM-Selector, you might look at modifying opendkim to include the 
selector somewhere in the AR header field it adds and you could extract it.

Scott K


More information about the opendmarc-dev mailing list