我会在这里回答自己,RFC7489声明如下:
6.6.2. Determine Handling Policy
To arrive at a policy for an individual message, Mail Receivers MUST
perform the following actions or their semantic equivalents.
Steps 2-4 MAY be done in parallel, whereas steps 5 and 6 require
input from previous steps.
The steps are as follows:
1. Extract the RFC5322.From domain from the message (as above).
2. Query the DNS for a DMARC policy record. Continue if one is
found, or terminate DMARC evaluation otherwise. See
Section 6.6.3 for details.
3. Perform DKIM signature verification checks. A single email could
contain multiple DKIM signatures. The results of this step are
passed to the remainder of the algorithm and MUST include the
value of the "d=" tag from each checked DKIM signature.
4. Perform SPF validation checks. The results of this step are
passed to the remainder of the algorithm and MUST include the
domain name used to complete the SPF check.
5. Conduct Identifier Alignment checks. With authentication checks
and policy discovery performed, the Mail Receiver checks to see
if Authenticated Identifiers fall into alignment as described in
Section 3. If one or more of the Authenticated Identifiers align
with the RFC5322.From domain, the message is considered to pass
the DMARC mechanism check. All other conditions (authentication
failures, identifier mismatches) are considered to be DMARC
mechanism check failures.
6. Apply policy. Emails that fail the DMARC mechanism check are
disposed of in accordance with the discovered DMARC policy of the
Domain Owner. See Section 6.3 for details.
这是 DMARC 身份验证的公式:
DMARC auth pass = (SPF auth pass AND SPF identifier alignment) OR (DKIM auth pass AND DKIM identifier alignment)
或者换一种说法:
DMARC 身份验证失败 =(SPF 身份验证失败或 SPF 标识符未对齐)AND(DKIM 身份验证失败或 DKIM 标识符未对齐)