Close, but not quite. DMARC uses the combination of SPF pass and identity alignment between mail from and from. In your case, SPF passes because, as you note, you've included the appropriate blackberry servers, but it fails the identity alignment check because the mail from domain is not the same as the from domain.
Scott K On Friday, October 05, 2012 03:30:53 PM Jon Jaroker wrote: > Hello Franck, > > Doesn't DMARC use RFC5332.From (and not MailFrom)? I see that on the FAQs > (http://www.dmarc.org/faq.html). > > The "From" field points to my domain, which has an SPF record that includes > blackberry's email servers as authorized senders, which should authenticate > for DMARC. > > Jon > > -----Original Message----- > From: Franck Martin [mailto:[email protected]] > Sent: Friday, October 05, 2012 1:58 PM > To: Jon Jaroker; [email protected] > Subject: Re: [dmarc-discuss] DMARC setup to authorize Blackberry BIS emails > > Sorry, > > John, reminded me about the mail-from, I just checked my forensic reports, > it won't work because there is no alignment. > > They use in the mail-from something like: > [email protected] > > So no alignement! > > You must have BES or use another device to make it work. > > Sorry. > > On 10/5/12 10:45 AM, "Jon Jaroker" <[email protected]> wrote: > >>> Basically, add the blackberry SPF information to your SPF. This will > >>> > >>>not > > > >do DKIM, so it will only rely on SPF to pass the DMARC test. > > > >Thank you, Franck, that was my understanding too. > > > >Jon > > > >-----Original Message----- > >From: Franck Martin [mailto:[email protected]] > >Sent: Friday, October 05, 2012 1:36 PM > >To: John Levine; [email protected] > >Cc: [email protected] > >Subject: Re: [dmarc-discuss] DMARC setup to authorize Blackberry BIS > >emails > > > >You can, but it is not pretty. > > > >Basically, add the blackberry SPF information to your SPF. This will > >not do DKIM, so it will only rely on SPF to pass the DMARC test. > > > >Also, then you now have an attack vector from any blackberry device. > >Fortunately blackberry SPF are organized by region, so you can limit it > >a bit. > > > >But it would be best for you, may be to invest in a BES, so the email > >is synchronized and sent from your mail servers rather than from > >blackberry ones. > > > >I found this article useful re blackberry SPF > >http://www.stardeveloper.com/articles/spf-record-for-blackberry-interne > >t-s > >e > >rvice/ > > > >But I would say if you need to go DMARC in reject mode, then BES or > >moving to android/iphone is the proper solution. > > > >Cheers > > > >On 10/5/12 9:45 AM, "John Levine" <[email protected]> wrote: > >>>I have a question on how to get a DMARC policy to work when some of > >>>my email is sent via blackberry BIS. > >> > >>That's easy -- you can't. > >> > >>DMARC policies can work well on domains whose mail is sent from a > >>single set of fixed sources. They won't work at all on mail domains > >>with live people who invariably send mail in all sorts of different > >>ways that SPF and DKIM don't describe. > >> > >>But it's still worth publishing a DMARC record with p=none to collect > >>the statistics. That's what I do, and I find out all sorts of > >>interesting stuff. > >> > >>Regards, > >>John Levine, [email protected], Primary Perpetrator of "The Internet for > >>Dummies", Please consider the environment before reading this e-mail. > >>http://jl.ly _______________________________________________ > >>dmarc-discuss mailing list > >>[email protected] > >>http://www.dmarc.org/mailman/listinfo/dmarc-discuss > >> > >>NOTE: Participating in this list means you agree to the DMARC Note > >>Well terms (http://www.dmarc.org/note_well.html) > > _______________________________________________ > dmarc-discuss mailing list > [email protected] > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
