DMARC requires SPF check on From address, not envelope MAIL FROM

smtpd / qpsmtpd

qpsmtpd is a flexible smtpd daemon written in Perl

http://smtpd.github.io/qpsmtpd/

MIT License

138 stars 75 forks source link

DMARC requires SPF check on From address, not envelope MAIL FROM #286

Closed priyadi closed 7 years ago

priyadi commented 7 years ago

SPF check in DMARC was broken because it checks SPF on envelope address, not From header.

This is a little quick and dirty, but works for me. It is not very efficient as it does From SPF checks even if it is not necessary.

coveralls commented 7 years ago

Coverage decreased (-0.2%) to 48.618% when pulling 306d7d65770cd3e50193e92ffc47681e6f8d0a0b on priyadi:dmarc_spf_fix into 65fd1b21507b16fa4772360f0fe5d78678b70d53 on smtpd:master.

msimerson commented 7 years ago

DMARC requires SPF check on From address, not envelope MAIL FROM SPF check in DMARC was broken because it checks SPF on envelope address, not From header.

I believe you are misreading DMARC's requirements. DMARC does not strictly require SPF. Nor does it strictly require DKIM. However, for DMARC to return a pass result, the domain in the From header must be [optionally strict] aligned with the domain that:

passes SPF evaluation (on envelope MAIL FROM)
-OR-
passes DKIM evaluation

If you wish to disagree with me or the DMARC plugin, please include citations to the DMARC RFC and the relevant portions of the code you believe are implementing it incorrectly.

priyadi commented 7 years ago

Sorry for not making myself clear. I understand DMARC needs at least one of DKIM and SPF validation. However, when doing SPF checks, currently qpsmtpd uses address from MAIL FROM, not 'From' header. DMARC requires checking on 'From' header, not MAIL FROM. This is different from SPF on its own, without DMARC.

This breaks emails where MAIL FROM address has different domain part than the 'From' address (and don't have DKIM signature). It is my understanding that SPF on its own checks MAIL FROM, but SPF under DMARC must check 'From' address.

msimerson commented 7 years ago

However, when doing SPF checks, currently qpsmtpd uses address from MAIL FROM, not 'From' header.

Correct.

DMARC requires checking on 'From' header, not MAIL FROM. This is different from SPF on its own, without DMARC.

That's only partly correct. DMARC does not require SPF validation on the From header, it instead requires only alignment of the domain in the From header with SPF or a passing DKIM domain.

This is different from SPF on its own, without DMARC.

SPF still works exactly as SPF did without DMARC. However, if you want to get a DMARC pass, then the From header just be aligned with SPF or DKIM.

This breaks emails where MAIL FROM address has different domain part than the 'From' address (and don't have DKIM signature).

Yep, that's how DMARC is supposed to work. SPF makes it much harder to forge the envelope MAIL FROM and DMARC makes it much harder to forge the From header.