0

I would like to clarify the following scenario with DMARC, (assuming there is a publish DMARC policy):

  • SPF fails
  • No (aligned or any) DKIM records

Should result of DMARC check be none or fail? Technically we cannot align anything with From thus we couldn't find any aligned identifiers (because failing SPF cannot align) so we should return none but also

If one or more of the Authenticated Identifiers align with the RFC5322.From domain, the message is considered to pass the DMARC mechanism check. All other conditions (authentication failures, identifier mismatches) are considered to be DMARC mechanism check failures.

charlag
  • 103
  • 4

1 Answers1

1

A DMARC validation can only pass if either DKIM or SPF is valid and aligned and none of this is the case in your example. This means that the DMARC validation will not succeed. But, a DMARC validation will not be done in the first place if no DMARC policy record exist.

This means that the DMARC result as shown in the Authentication-Results header will be fail if a valid DMARC policy record exist and none if no such record exist.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • What about 11.2. Authentication-Results Result Registry Update; Code: none; Meaning: No DMARC policy record was published for the aligned identifier, or no aligned identifier could be extracted. – charlag Feb 11 '20 at 16:56
  • @charlag: I've misread your question, see my updated answer. Basically the result shown in the `Authentication-Results` header depends if there was a policy record published or not, which is not known from your question. – Steffen Ullrich Feb 11 '20 at 17:46
  • I assumed that there is a DMARC policy, I will update the answer. Then if SPF failed || (∀ DKIM identifier check failed) || (no aligned DKIM && no aligned SPF) then result should be `fail`. Is this correct? – charlag Feb 11 '20 at 19:51
  • 1
    @charlag: Your equation implies that it is sufficient that either SPF or DKIM fails or no alignment for both - this is not true. For example DMARC passes if SPF success and SPF aligned. Essentially it is enough that one of SPF and DKIM is both valid and aligned and then the other does not matter. – Steffen Ullrich Feb 11 '20 at 20:09
  • So it would be "DMARC failed if (SPF failed || SPF not aligned) && no dkim succeded"? – charlag Feb 12 '20 at 09:07
  • 1. There is also alignment in DKIM. The d= tag should align with the FROM domain. 2. Regading your last equation: this is the intended message of your quote from the RFC. "If one or more of the Authenticated `[PASS result]` Identfiers `[SPF or DKIM]` align with the RFC5322.From domain(...)" So the result will be PASS unless, not FAIL unless: if (SPF PASS && Aligned) || (DKIM Pass && aligned) then DMARC = PASS. This matters because this also takes into account None, TempError and PermError results for SPF and DKIM. – Reinto Feb 12 '20 at 09:27