Opened 8 years ago

Last modified 20 months ago

#3 infoneeded defect

Two tiny nits

Reported by: superuser@… Owned by: todd.herr@…
Priority: major Milestone: Deliverable #3 (changes to DMARC base spec + DMARC Usage Guide
Component: dmarc-bis Version:
Severity: - Keywords:
Cc:

Description

To: dmarc@…
From: Anne Bennett <anne@…>
Date: Fri, 16 Jan 2015 19:41:29 -0500
Subject: [dmarc-ietf] ... and two more tiny nits, while I'm at it

Having just spent several hours poring over this document
(-12), I might as well send my additional minor observations.
I suspect that some of you will consider these items trivial,
but they gave me pause as I went back and forth through several
sections of the text to make sure I understood correctly. So...

In "6.6.2. Determine Handling Policy", items 3 and 4, it
would be helpful to make it clear whether only "passed" checks
are passed back from SPF and DKIM to DMARC modules, or only
"pass/fail", or all results including temporary errors.

In "6.6.3 Policy discovery", item 3, I think you mean that
the OD must be looked up if AND ONLY IF the set is now empty.
Otherwise, one does run the risk of ending up with several
records, which item 5 implies is erroneous.

Change History (11)

comment:1 Changed 5 years ago by kboth+ietf@…

  • Component set to dmarc-future-notes

comment:2 Changed 21 months ago by todd.herr@…

  • Component changed from dmarc-future-notes to dmarc-bis

comment:3 Changed 21 months ago by todd.herr@…

  • Owner set to todd.herr@…
  • Status changed from new to accepted

Current text from 6.6.2:

3.  Perform DKIM signature verification checks.  A single email could
    contain multiple DKIM signatures.  The results of this step are
    passed to the remainder of the algorithm and MUST include the
    value of the "d=" tag from each checked DKIM signature.

4.  Perform SPF validation checks.  The results of this step are
    passed to the remainder of the algorithm and MUST include the
    domain name used to complete the SPF check.

Spot checking my Gmail mailbox seems to indicate that Google is returning not just pass/fail but also reasons for failure, so I propose this:

3.  Perform DKIM signature verification checks.  A single email could
    contain multiple DKIM signatures.  The results of this step are
    passed to the remainder of the algorithm, MUST include "pass" or 
    "fail", and if "fail", SHOULD include information about the reasons 
    for failure. The results further MUST include the value of the "d=" 
    tag from each checked DKIM signature. 

4.  Perform SPF validation checks.  The results of this step are
    passed to the remainder of the algorithm, MUST include "pass" or 
    "fail", and if "fail", SHOULD include information about the reasons 
    for failure. The results further MUST include the domain name 
    used to complete the SPF check.

There may also be another ticket about including selectors in aggregate reports, which might argue for the results including not just d= but also s= in item 3.

Last edited 21 months ago by todd.herr@… (previous) (diff)

comment:4 Changed 21 months ago by todd.herr@…

The current text from 6.6.3 reads:

3.  If the set is now empty, the Mail Receiver MUST query the DNS for
    a DMARC TXT record at the DNS domain matching the Organizational
    Domain in place of the RFC5322.From domain in the message (if
    different).  This record can contain policy to be asserted for
    subdomains of the Organizational Domain.  A possibly empty set of
    records is returned.

so I'm not sure if this part of the ticket is still applicable.

comment:5 Changed 21 months ago by todd.herr@…

  • Status changed from accepted to started

comment:6 Changed 21 months ago by todd.herr@…

Moving forward with this text in Section 6.6.2:

3.  Perform DKIM signature verification checks.  A single email could
    contain multiple DKIM signatures.  The results of this step are
    passed to the remainder of the algorithm, MUST include "pass" or
    "fail", and if "fail", SHOULD include information about the reasons
    for failure. The results MUST further include the value of the "d="
    and "s=" tags from each checked DKIM signature.

4.  Perform SPF validation checks.  The results of this step are
    passed to the remainder of the algorithm, MUST include "pass" or
    "fail", and if "fail", SHOULD include information about the reasons
    for failure. The results MUST further include the domain name used
    to complete the SPF check.

comment:7 Changed 21 months ago by todd.herr@…

Merged to main branch in github

comment:8 Changed 21 months ago by todd.herr@…

  • Resolution set to fixed
  • Status changed from started to closed

comment:9 Changed 20 months ago by todd.herr@…

  • Resolution fixed deleted
  • Status changed from closed to new

comment:10 Changed 20 months ago by todd.herr@…

  • Status changed from new to assigned

comment:11 Changed 20 months ago by todd.herr@…

  • Status changed from assigned to infoneeded
Note: See TracTickets for help on using tickets.