Which has bigger priority between DMARC and SPF?

Frizlab

3/7/24, 10:29 AM

First off let me start by saying I understand DMARC and SPF do not do the same thing.
However both have an option to tell the receiving servers what to do with mails that do not pass SPF (and DKIM in the case of DMARC).

Now let’s have a theoretical case with SPF set to v=spf1 include:… ~all (the important part being ~all) and a DMARC set to v=DMARC1; p=reject; rua=….

In this situation, if I understand correctly, we have an SPF record telling “mark mails that do not pass SPF as spam” and a DMARC record telling “do not accept mails that do not pass DKIM or SPF.”

Which instruction will have priority when a mail failing SPF is received? And if the DMARC entry is set to p=none, is the answer the same?

301

1 + 2

spf

dmarc

glts

3/7/24, 10:41 AM

This is purely a policy thing at the receiver side, so there is no real answer to this question.

Frizlab

3/7/24, 10:46 AM

@glts A bit what I was afraid of, they just did not think about it when they created DMARC… Oh well I guess we’ll just have to be consistent between the SPF and DMARC declarations.

Score:6

Server

Paul

3/7/24, 12:48 PM

From RFC 7208:

8.5. Softfail

A "softfail" result ought to be treated as somewhere between "fail" and "neutral"/"none". The ADMD believes the host is not authorized but is not willing to make a strong policy statement. Receiving software SHOULD NOT reject the message based solely on this result, but MAY subject the message to closer scrutiny than normal.

The ADMD wants to discourage the use of this host and thus desires limited feedback when a "softfail" result occurs. For example, the recipient's MUA could highlight the "softfail" status, or the receiving MTA could give the sender a message using greylisting [RFC6647], with a note the first time the message is received, but accept it on a later attempt based on receiver policy.

The key phrase here is "SHOULD NOT", thus the receiving server can enforce other policies and still be within the standard.

From RFC 7489:

reject: The Domain Owner wishes for Mail Receivers to reject email that fails the DMARC mechanism check. Rejection SHOULD occur during the SMTP transaction.

The key phrases here are "wishes" and "SHOULD", thus the receiving server can enforce other polices and do whatever they want during the SMTP transaction while still being within the policy.

My best guess is that if the receiver is enforcing DMARC, then p=reject will be the overriding policy.

Also from the same section in RFC 7489:

none: The Domain Owner requests no specific action be taken regarding delivery of messages.

The key phrase here is "requests". In practice, this is nearly always treated the same as having no DMARC policy, other than to send reports since this policy is used for testing.

As a side note, you appear to have a common misunderstanding of what DMARC is testing. DMARC tests alignment, which is not what DKIM or SPF are testing, so those tests can both pass while DMARC fails.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Which has bigger priority between DMARC and SPF?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.