我正在努力解决DMARC的工作原理以及如何处理生成的电子邮件。
据我了解,DMARC具有以下三个主要功能:
但是我不确定何时考虑DMARC失败/通过。
例如,如果DKIM和DKIM的域对齐正确,但是SPF失败。 DMARC被认为是通过还是失败?
仅当所有三个密钥都通过时(SPF很好,DKIM很好,并且SPF和DKIM的域对齐都很好),DMARC才被认为是通过吗?还是仅用于(SPF + SPF的域对齐)还是(DKIM + DKIM的域对齐)?
答案 0 :(得分:0)
我会在这里回答自己,RFC7489指出以下内容:
6.6.2. Determine Handling Policy
To arrive at a policy for an individual message, Mail Receivers MUST
perform the following actions or their semantic equivalents.
Steps 2-4 MAY be done in parallel, whereas steps 5 and 6 require
input from previous steps.
The steps are as follows:
1. Extract the RFC5322.From domain from the message (as above).
2. Query the DNS for a DMARC policy record. Continue if one is
found, or terminate DMARC evaluation otherwise. See
Section 6.6.3 for details.
3. Perform DKIM signature verification checks. A single email could
contain multiple DKIM signatures. The results of this step are
passed to the remainder of the algorithm and MUST include the
value of the "d=" tag from each checked DKIM signature.
4. Perform SPF validation checks. The results of this step are
passed to the remainder of the algorithm and MUST include the
domain name used to complete the SPF check.
5. Conduct Identifier Alignment checks. With authentication checks
and policy discovery performed, the Mail Receiver checks to see
if Authenticated Identifiers fall into alignment as described in
Section 3. If one or more of the Authenticated Identifiers align
with the RFC5322.From domain, the message is considered to pass
the DMARC mechanism check. All other conditions (authentication
failures, identifier mismatches) are considered to be DMARC
mechanism check failures.
6. Apply policy. Emails that fail the DMARC mechanism check are
disposed of in accordance with the discovered DMARC policy of the
Domain Owner. See Section 6.3 for details.
答案 1 :(得分:0)
这是DMARC身份验证的公式:
DMARC身份验证密码=(SPF身份验证密码和SPF标识符对齐)或(DKIM身份验证密码和DKIM标识符对齐)
或者换句话说:
DMARC身份验证失败=(SPF身份验证失败或SPF标识符未对齐)AND(DKIM身份验证失败或DKIM标识符未对齐)