[dmarc-discuss] How to handle temporary dns failure?

Murray S. Kucherawy superuser at gmail.com
Wed Jun 13 07:17:11 PDT 2012


On Mon, Jun 11, 2012 at 10:29 PM, pandalove <pandalove at 126.com> wrote:

> Hi folks,
>
> These are mails who are DKIM aligned and SPF not aligned naturally(such as
> newsletters ESPs using envelope sender domain different from header from
> domain, providing no SPF aligned identifier), if the mail receiver gets
> temporary dns failure when requesting DKIM selector, this email will fail
> DKIM verification and provide no DKIM aligned identifier.
>
> In this case, such emails will fail the whole DAMRC mechanisms. If their
> "p=" tag is not "none", these emails will be rejected or quarantined. At
> least, a forensic report will be sent.
>
> Considering people may use different DNS domains for DKIM selector and
> DMARC record, so the mail receiver can query DMARC record successfully, but
> DKIM selector DNS request can solely fail .
>
> That is, once their DKIM selector DNS temporarily failed, their mails ca!
> n not be delivered normally due to DMARC failure.
>
> Anyone want to share his opinion about such a situation?
>
>
>
The DMARC spec already says that in the case of a DNS temporary failure to
retrieve the DMARC policy, the receiver MAY decide to temp-fail the message
and try later so that a final evaluation gets applied.  I believe that in
the case where one method fails and the other is a temporary failure, or if
both methods temp-fail, then the same rule should apply: The receiver has
discretion to temp-fail the message and try again later in that case.

I'll add a bug to track this as an issue for the next version of the spec.
Thanks for bringing this up!

-MSK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://medusa.blackops.org/pipermail/dmarc-discuss/attachments/20120613/3340ca40/attachment.htm>


More information about the dmarc-discuss mailing list