Closed priyadi closed 7 years ago
DMARC requires SPF check on From address, not envelope MAIL FROM SPF check in DMARC was broken because it checks SPF on envelope address, not From header.
I believe you are misreading DMARC's requirements. DMARC does not strictly require SPF. Nor does it strictly require DKIM. However, for DMARC to return a pass result, the domain in the From header must be [optionally strict] aligned with the domain that:
If you wish to disagree with me or the DMARC plugin, please include citations to the DMARC RFC and the relevant portions of the code you believe are implementing it incorrectly.
Sorry for not making myself clear. I understand DMARC needs at least one of DKIM and SPF validation. However, when doing SPF checks, currently qpsmtpd uses address from MAIL FROM, not 'From' header. DMARC requires checking on 'From' header, not MAIL FROM. This is different from SPF on its own, without DMARC.
This breaks emails where MAIL FROM address has different domain part than the 'From' address (and don't have DKIM signature). It is my understanding that SPF on its own checks MAIL FROM, but SPF under DMARC must check 'From' address.
However, when doing SPF checks, currently qpsmtpd uses address from MAIL FROM, not 'From' header.
Correct.
DMARC requires checking on 'From' header, not MAIL FROM. This is different from SPF on its own, without DMARC.
That's only partly correct. DMARC does not require SPF validation on the From
header, it instead requires only alignment of the domain in the From header with SPF or a passing DKIM domain.
This is different from SPF on its own, without DMARC.
SPF still works exactly as SPF did without DMARC. However, if you want to get a DMARC pass, then the From header just be aligned with SPF or DKIM.
This breaks emails where MAIL FROM address has different domain part than the 'From' address (and don't have DKIM signature).
Yep, that's how DMARC is supposed to work. SPF makes it much harder to forge the envelope MAIL FROM and DMARC makes it much harder to forge the From header.
SPF check in DMARC was broken because it checks SPF on envelope address, not From header.
This is a little quick and dirty, but works for me. It is not very efficient as it does From SPF checks even if it is not necessary.