什么是DMARC故障？

Question

我正试着思考DMARC是如何工作的，以及如何处理由此产生的电子邮件。

据我所知，DMARC致力于三个关键特性：

1. SPF验证
2. DKIM验证
3. 域对齐

但我不知道什么时候应该考虑DMARC失败/通过。

例如，如果DKIM和域对齐对于DKIM是正确的，但是SPF失败。DMARC被认为是传球还是失败？

DMARC是否只在三个键都通过时才被认为是通行证(SPF是好的，DKIM是好的，域对齐对于SPF和DKIM都是好的)？还是只适用于任何一个(SPF +域对齐SPF)还是(DKIM +域对齐用于DKIM)？

Answer 1

我将在这里回答自己，RFC7489声明如下：

6.6.2.  Determine Handling Policy

   To arrive at a policy for an individual message, Mail Receivers MUST
   perform the following actions or their semantic equivalents.
   Steps 2-4 MAY be done in parallel, whereas steps 5 and 6 require
   input from previous steps.

   The steps are as follows:

   1.  Extract the RFC5322.From domain from the message (as above).

   2.  Query the DNS for a DMARC policy record.  Continue if one is
       found, or terminate DMARC evaluation otherwise.  See
       Section 6.6.3 for details.

   3.  Perform DKIM signature verification checks.  A single email could
       contain multiple DKIM signatures.  The results of this step are
       passed to the remainder of the algorithm and MUST include the
       value of the "d=" tag from each checked DKIM signature.

   4.  Perform SPF validation checks.  The results of this step are
       passed to the remainder of the algorithm and MUST include the
       domain name used to complete the SPF check.

   5.  Conduct Identifier Alignment checks.  With authentication checks
       and policy discovery performed, the Mail Receiver checks to see
       if Authenticated Identifiers fall into alignment as described in
       Section 3.  If one or more of the Authenticated Identifiers align
       with the RFC5322.From domain, the message is considered to pass
       the DMARC mechanism check.  All other conditions (authentication
       failures, identifier mismatches) are considered to be DMARC
       mechanism check failures.

   6.  Apply policy.  Emails that fail the DMARC mechanism check are
       disposed of in accordance with the discovered DMARC policy of the
       Domain Owner.  See Section 6.3 for details.

Answer 2

这是DMARC身份验证的公式：

DMARC auth pass = (SPF auth pass和SPF标识符对齐)或(DKIM和DKIM标识符对齐)

或者换个说法：

故障= (SPF auth故障或SPF标识符失调)和(DKIM故障或DKIM标识符不对齐)

这篇文章详细介绍了这个主题：https://dmarcly.com/blog/how-to-implement-dmarc-dkim-spf-to-stop-email-spoofing-phishing-the-definitive-guide#dmarc-alignment-authentication-hardened