Right. Good point. Scott K
Franck Martin <[email protected]> wrote: >Scott, > >It won't even work with SPF, as the receiver will look for the SPF >record >in the domain presented in the envelope mail from, here it will be >srs.bis7.eu.blackberry.com > >Which is fine because this domain has a SPF record > >srs.bis7.eu.blackberry.com. 600 IN TXT "v=spf1 >ip4:206.51.26.0/24 >ip4:193.109.81.0/24 ip4:204.187.87.0/24 ip4:216.9.240.0/20 >ip4:206.53.144.0/20 ip4:67.223.64.0/19 ip4:68.171.224.0/19 >ip4:74.82.64.0/19 ip4:178.239.80.0/20 -all" > > >So you don't need to include blackberry SPF records in your own SPF >records. > >On 10/5/12 12:44 PM, "Scott Kitterman" <[email protected]> wrote: > >>Close, but not quite. DMARC uses the combination of SPF pass and >>identity >>alignment between mail from and from. In your case, SPF passes >because, >>as >>you note, you've included the appropriate blackberry servers, but it >>fails the >>identity alignment check because the mail from domain is not the same >as >>the >>from domain. >> >>Scott K >> >>On Friday, October 05, 2012 03:30:53 PM Jon Jaroker wrote: >>> Hello Franck, >>> >>> Doesn't DMARC use RFC5332.From (and not MailFrom)? I see that on >the >>>FAQs >>> (http://www.dmarc.org/faq.html). >>> >>> The "From" field points to my domain, which has an SPF record that >>>includes >>> blackberry's email servers as authorized senders, which should >>>authenticate >>> for DMARC. >>> >>> Jon >>> >>> -----Original Message----- >>> From: Franck Martin [mailto:[email protected]] >>> Sent: Friday, October 05, 2012 1:58 PM >>> To: Jon Jaroker; [email protected] >>> Subject: Re: [dmarc-discuss] DMARC setup to authorize Blackberry BIS >>>emails >>> >>> Sorry, >>> >>> John, reminded me about the mail-from, I just checked my forensic >>>reports, >>> it won't work because there is no alignment. >>> >>> They use in the mail-from something like: >>> [email protected] >>> >>> So no alignement! >>> >>> You must have BES or use another device to make it work. >>> >>> Sorry. >>> >>> On 10/5/12 10:45 AM, "Jon Jaroker" <[email protected]> wrote: >>> >>> Basically, add the blackberry SPF information to your SPF. This >will >>> >>> >>> >>>not >>> > >>> >do DKIM, so it will only rely on SPF to pass the DMARC test. >>> > >>> >Thank you, Franck, that was my understanding too. >>> > >>> >Jon >>> > >>> >-----Original Message----- >>> >From: Franck Martin [mailto:[email protected]] >>> >Sent: Friday, October 05, 2012 1:36 PM >>> >To: John Levine; [email protected] >>> >Cc: [email protected] >>> >Subject: Re: [dmarc-discuss] DMARC setup to authorize Blackberry >BIS >>> >emails >>> > >>> >You can, but it is not pretty. >>> > >>> >Basically, add the blackberry SPF information to your SPF. This >will >>> >not do DKIM, so it will only rely on SPF to pass the DMARC test. >>> > >>> >Also, then you now have an attack vector from any blackberry >device. >>> >Fortunately blackberry SPF are organized by region, so you can >limit it >>> >a bit. >>> > >>> >But it would be best for you, may be to invest in a BES, so the >email >>> >is synchronized and sent from your mail servers rather than from >>> >blackberry ones. >>> > >>> >I found this article useful re blackberry SPF >>> >>http://www.stardeveloper.com/articles/spf-record-for-blackberry-interne >>> >t-s >>> >e >>> >rvice/ >>> > >>> >But I would say if you need to go DMARC in reject mode, then BES or >>> >moving to android/iphone is the proper solution. >>> > >>> >Cheers >>> > >>> >On 10/5/12 9:45 AM, "John Levine" <[email protected]> wrote: >>> >>>I have a question on how to get a DMARC policy to work when some >of >>> >>>my email is sent via blackberry BIS. >>> >> >>> >>That's easy -- you can't. >>> >> >>> >>DMARC policies can work well on domains whose mail is sent from a >>> >>single set of fixed sources. They won't work at all on mail >domains >>> >>with live people who invariably send mail in all sorts of >different >>> >>ways that SPF and DKIM don't describe. >>> >> >>> >>But it's still worth publishing a DMARC record with p=none to >collect >>> >>the statistics. That's what I do, and I find out all sorts of >>> >>interesting stuff. >>> >> >>> >>Regards, >>> >>John Levine, [email protected], Primary Perpetrator of "The Internet >for >>> >>Dummies", Please consider the environment before reading this >e-mail. >>> >>http://jl.ly _______________________________________________ >>> >>dmarc-discuss mailing list >>> >>[email protected] >>> >>http://www.dmarc.org/mailman/listinfo/dmarc-discuss >>> >> >>> >>NOTE: Participating in this list means you agree to the DMARC Note >>> >>Well terms (http://www.dmarc.org/note_well.html) >>> >>> _______________________________________________ >>> dmarc-discuss mailing list >>> [email protected] >>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss >>> >>> NOTE: Participating in this list means you agree to the DMARC Note >Well >>> terms (http://www.dmarc.org/note_well.html) >>_______________________________________________ >>dmarc-discuss mailing list >>[email protected] >>http://www.dmarc.org/mailman/listinfo/dmarc-discuss >> >>NOTE: Participating in this list means you agree to the DMARC Note >Well >>terms (http://www.dmarc.org/note_well.html) _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
