Scott, It won't even work with SPF, as the receiver will look for the SPF record in the domain presented in the envelope mail from, here it will be srs.bis7.eu.blackberry.com
Which is fine because this domain has a SPF record srs.bis7.eu.blackberry.com. 600 IN TXT "v=spf1 ip4:206.51.26.0/24 ip4:193.109.81.0/24 ip4:204.187.87.0/24 ip4:216.9.240.0/20 ip4:206.53.144.0/20 ip4:67.223.64.0/19 ip4:68.171.224.0/19 ip4:74.82.64.0/19 ip4:178.239.80.0/20 -all" So you don't need to include blackberry SPF records in your own SPF records. On 10/5/12 12:44 PM, "Scott Kitterman" <[email protected]> wrote: >Close, but not quite. DMARC uses the combination of SPF pass and >identity >alignment between mail from and from. In your case, SPF passes because, >as >you note, you've included the appropriate blackberry servers, but it >fails the >identity alignment check because the mail from domain is not the same as >the >from domain. > >Scott K > >On Friday, October 05, 2012 03:30:53 PM Jon Jaroker wrote: >> Hello Franck, >> >> Doesn't DMARC use RFC5332.From (and not MailFrom)? I see that on the >>FAQs >> (http://www.dmarc.org/faq.html). >> >> The "From" field points to my domain, which has an SPF record that >>includes >> blackberry's email servers as authorized senders, which should >>authenticate >> for DMARC. >> >> Jon >> >> -----Original Message----- >> From: Franck Martin [mailto:[email protected]] >> Sent: Friday, October 05, 2012 1:58 PM >> To: Jon Jaroker; [email protected] >> Subject: Re: [dmarc-discuss] DMARC setup to authorize Blackberry BIS >>emails >> >> Sorry, >> >> John, reminded me about the mail-from, I just checked my forensic >>reports, >> it won't work because there is no alignment. >> >> They use in the mail-from something like: >> [email protected] >> >> So no alignement! >> >> You must have BES or use another device to make it work. >> >> Sorry. >> >> On 10/5/12 10:45 AM, "Jon Jaroker" <[email protected]> wrote: >> >>> Basically, add the blackberry SPF information to your SPF. This will >> >>> >> >>>not >> > >> >do DKIM, so it will only rely on SPF to pass the DMARC test. >> > >> >Thank you, Franck, that was my understanding too. >> > >> >Jon >> > >> >-----Original Message----- >> >From: Franck Martin [mailto:[email protected]] >> >Sent: Friday, October 05, 2012 1:36 PM >> >To: John Levine; [email protected] >> >Cc: [email protected] >> >Subject: Re: [dmarc-discuss] DMARC setup to authorize Blackberry BIS >> >emails >> > >> >You can, but it is not pretty. >> > >> >Basically, add the blackberry SPF information to your SPF. This will >> >not do DKIM, so it will only rely on SPF to pass the DMARC test. >> > >> >Also, then you now have an attack vector from any blackberry device. >> >Fortunately blackberry SPF are organized by region, so you can limit it >> >a bit. >> > >> >But it would be best for you, may be to invest in a BES, so the email >> >is synchronized and sent from your mail servers rather than from >> >blackberry ones. >> > >> >I found this article useful re blackberry SPF >> >http://www.stardeveloper.com/articles/spf-record-for-blackberry-interne >> >t-s >> >e >> >rvice/ >> > >> >But I would say if you need to go DMARC in reject mode, then BES or >> >moving to android/iphone is the proper solution. >> > >> >Cheers >> > >> >On 10/5/12 9:45 AM, "John Levine" <[email protected]> wrote: >> >>>I have a question on how to get a DMARC policy to work when some of >> >>>my email is sent via blackberry BIS. >> >> >> >>That's easy -- you can't. >> >> >> >>DMARC policies can work well on domains whose mail is sent from a >> >>single set of fixed sources. They won't work at all on mail domains >> >>with live people who invariably send mail in all sorts of different >> >>ways that SPF and DKIM don't describe. >> >> >> >>But it's still worth publishing a DMARC record with p=none to collect >> >>the statistics. That's what I do, and I find out all sorts of >> >>interesting stuff. >> >> >> >>Regards, >> >>John Levine, [email protected], Primary Perpetrator of "The Internet for >> >>Dummies", Please consider the environment before reading this e-mail. >> >>http://jl.ly _______________________________________________ >> >>dmarc-discuss mailing list >> >>[email protected] >> >>http://www.dmarc.org/mailman/listinfo/dmarc-discuss >> >> >> >>NOTE: Participating in this list means you agree to the DMARC Note >> >>Well terms (http://www.dmarc.org/note_well.html) >> >> _______________________________________________ >> dmarc-discuss mailing list >> [email protected] >> http://www.dmarc.org/mailman/listinfo/dmarc-discuss >> >> NOTE: Participating in this list means you agree to the DMARC Note Well >> terms (http://www.dmarc.org/note_well.html) >_______________________________________________ >dmarc-discuss mailing list >[email protected] >http://www.dmarc.org/mailman/listinfo/dmarc-discuss > >NOTE: Participating in this list means you agree to the DMARC Note Well >terms (http://www.dmarc.org/note_well.html) _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
