When examining email headers, you'll often encounter the Authentication-Results field containing DMARC verification results. A typical example looks like this:
Authentication-Results: mx.google.com;
spf=neutral;
dkim=pass header.i=@yahoo.com;
dmarc=pass (p=REJECT dis=NONE) header.from=yahoo.com
While most DMARC tags are well-documented in the IANA registry, dis=NONE appears as an implementation-specific extension. Based on email provider implementations (particularly Google), this parameter indicates:
- No Disposition Override: The receiver didn't apply any special handling beyond what the DMARC policy (p=REJECT) specified
- Alignment Status: The domain in the From header (yahoo.com) properly aligned with authenticated domains
- No Forensic Reporting: Indicates no additional disposition instructions were applied
Here's how major email providers implement this field:
// Google's implementation example
if (dmarc_pass && alignment_ok) {
add_to_header("dis=NONE");
} else if (dmarc_pass && !alignment_ok) {
add_to_header("dis=OVERRIDE");
}
For developers working with email authentication, here's a Python snippet to parse these headers:
import re
def parse_dmarc_results(header):
pattern = r'dmarc=(\w+)\s*$p=(\w+)\s+dis=(\w+)$'
match = re.search(pattern, header)
if match:
return {
'result': match.group(1),
'policy': match.group(2),
'disposition': match.group(3)
}
return None
# Example usage:
header = "dmarc=pass (p=REJECT dis=NONE) header.from=yahoo.com"
print(parse_dmarc_results(header))
Understanding these nuances helps when:
- Building email authentication systems
- Troubleshooting delivery issues
- Implementing DMARC reporting tools
- Developing spam filtering solutions
While dis=NONE isn't part of the official DMARC spec, its presence in major providers' implementations makes it de facto standard behavior worth understanding for anyone working with email infrastructure.
The Authentication-Results header in an email provides information about the authentication checks performed on the message. In the given example:
Authentication-Results: mx.google.com;
spf=neutral;
dkim=pass header.i=@yahoo.com;
dmarc=pass (p=REJECT dis=NONE) header.from=yahoo.com
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol. The p parameter in the DMARC result, here set to REJECT, defines the policy for handling messages that fail DMARC validation. But what about dis=NONE? Although it's not listed in the DMARC tag registry, it's still relevant.
The dis likely stands for "disposition". In the context of DMARC, when dis=NONE, it might indicate that there is no specific secondary or alternative disposition action defined beyond the primary p (policy) action. For example, if the p is set to REJECT, the mail server is supposed to reject messages that fail DMARC checks. The dis=NONE could mean there are no additional steps like quarantine or some other non - standard handling.
Here is a very basic Python example to show how you might start validating DMARC results in code. This is a highly simplified example and doesn't cover all aspects of DMARC validation.
import dns.resolver
def check_dmarc(domain):
try:
answers = dns.resolver.query('_dmarc.' + domain, 'TXT')
for rdata in answers:
record = rdata.to_text().strip('"')
parts = record.split(';')
for part in parts:
if part.startswith('p='):
policy = part.split('=')[1]
print(f"DMARC Policy: {policy}")
elif part.startswith('dis='):
disposition = part.split('=')[1]
print(f"DMARC Disposition: {disposition}")
except (dns.resolver.NXDOMAIN, dns.resolver.NoAnswer):
print("No DMARC record found for the domain.")
# Replace 'example.com' with the domain you want to check
check_dmarc('example.com')
This code attempts to query the DMARC record for a given domain. It then parses the record to find p (policy) and potentially the dis (disposition) values. Keep in mind that real - world DMARC validation is much more complex and involves aspects like DKIM and SPF validation as well.