-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Thu, 2017-03-30 at 15:21 +1100, Mark Andrews wrote:
Well you should be checking the correct TXT record for SPF.
dig marketo-email.box.com txt +short "v=spf1 ip4:192.28.147.168 ip4:192.28.147.169 -all"
Hm, a closer reading of rfc7489 sheds some light on this: Would dmarc-spf consider marketo-email.box.com to be 'aligned' with the from header email.box.com domain? It is neither a child nor parent of email.box.com. The _dmarc txt record for email.box.com has no aspf: tag, so we should be operating in spf/dkim relaxed alignment mode. rfc7489, when discussing relaxed identifier alignment, says the "Organizational Domain" of the identifiers must match. But there is no explicit example of that. Instead, the examples talk about one of the identifiers being a parent of the other identifier. The envelope from marketo-email.box.com and the 2822 header from email.box.com have the same box.com organizational domain. If we ignore the examples in rfc7489, it looks like this is NOT broken. I am probably not the only one that wrote code matching on the parent/child relationship of the identifiers, rather than computing the Organizational Domains and matching those. As Mr. Hodgson pointed out, box.com has very recently started sending mail with multiple dkim signatures, header.d=email.box.com and 2822 header from = email.box.com. Now off to fix my code. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAljcpTkACgkQL6j7milTFsHROACfYDmp1Vv7kUwWZQ9m1YCgSB+C y9kAnitNWUvORSQNgOv5AsyUL35Y8Yhc =CDq3 -----END PGP SIGNATURE-----