Wrong status when dmarc=fail but dkim=pass and/or spf=pass [security] [bug]

[AndreyMZ]

Problem description

The authres_status plugin violates RFC 7489 "Domain-based Message Authentication, Reporting, and Conformance (DMARC)"!

Steps to reproduce

Receive an email message with the following headers:

Authentication-Results: victim.example;
    dmarc=fail (p=QUARANTINE sp=NONE) smtp.from=attacker.example header.from=victim.example;
    dkim=pass header.d=attacker.example
Return-Path: <[email protected]>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
    d=attacker.example; s=default; t=1586426938;
    <...>
From: [email protected]
To: [email protected]
Subject: Test
<...>

Actual result

The status is:

Some signatures are invalid but at least one is valid for the sender's domain. verified by dmarc=fail (p=QUARANTINE sp=NONE); dkim=pass

Expected result

The status is:

Signature is not valid! Verified by dmarc=fail (p=QUARANTINE sp=NONE)

Additional information

This issue is has been created as the fix for #42 is incomplete.

[pimlie]

Where in the RFC does it say that clients MUST fail the full authentication results when any method fails?

If the RFC doesnt specify that, wdyt about adding a strict mode? Also see #59

[AndreyMZ]

DMARC is not in line with with DKIM and SPF. It is above them.

Probably you were searching for this part of the RFC: https://datatracker.ietf.org/doc/html/rfc7489#section-4.2

A message satisfies the DMARC checks if at least one of the supported authentication mechanisms:

1. produces a "pass" result, and
2. produces that result based on an identifier that is in alignment, as defined in Section 3.

So, it does not matter how many authentication mechanisms (DKIM, SPF) produces a "pass" result until at least one of them validates the domain in the RFC5322.From address.