-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Wed, 2017-03-29 at 09:24 -0700, Alan Hodgson wrote:
So for DMARC+SPF to pass not only must the message come from a source authorized by the envelope sender domain, but that domain must be the same domain (or parent domain or subdomain) of the header From: address.
For DMARC+DKIM to pass, the DKIM signature must pass and the DKIM signing domain must be the same domain (or parent domain or subdomain) of the header From: address.
Again, DMARC requires only one or the other mechanism to pass. So messages forwarded intact should be OK if they have an aligned DKIM signature.
Brad Knowles wrote:
...and it's easy to set things up in a way that you wind up shooting yourself in the foot -- and possibly with a large thermonuclear device.
For an example of that (unless I am misunderstanding something), we have: --> Hello marketo-email.box.com [192.28.147.169], pleased to meet you <-- MAIL FROM:<$MUNGED@marketo-email.box.com> <-- RCPT TO: ... dkim pass header.d=mktdns.com rfc2822 from header = $MUNGED@email.box.com dig _dmarc.email.box.com txt +short "v=DMARC1; p=reject; ..." dig email.box.com txt +short "v=spf1 ip4:192.28.147.168 -all" So given the dmarc reject policy, it needs to pass either spf (which fails 192.28.147.168 != 192.28.147.169), or dkim (which fails since it is not signed by anything related to email.box.com. Am I missing something, or is that just broken? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAljcJe4ACgkQL6j7milTFsFUMwCfT4Wgr0kUHjhVPvi0wER3Nfz+ osAAni5YH25tTCGk49jESd5NOKVk3Okd =JL7y -----END PGP SIGNATURE-----