On May 1, 2014, at 8:07 AM, Paul Scott <[email protected]> wrote: > As I understand it, and In my experience, p=reject on DKIM fail would cause a > mail delivery failure by google's servers. The fact that it ends up in your > spam folder rather than outright failure indicates to me that something other > than p=reject is responsible. > > Still, I would be interested to see the raw e-mail with all its headers, for > analysis, if you would please send it to me. > > Paul > > On Apr 30, 2014, at 9:44 PM, Scott Howard <[email protected]> wrote: > >> On Wed, Apr 30, 2014 at 8:05 PM, pscott <[email protected]> wrote: >> On 4/30/2014 6:22 PM, Douglas Otis wrote: >> Skycoast.us is using a DMARC p=reject with users sending to a mailing list. >> Really? >> I haven't seen any failures, yet. >> >> How about the fact that this and every other message I get from you ends up >> in my Google Apps spam folder? >> >> Be careful with this message. Our systems couldn't verify that this message >> was really sent by skycoast.us. You might want to avoid clicking links or >> replying with personal information. >> >> Scott
Dear Scott, I did not see a warning. I looked in the spam folder. It seems gmail makes an exception that allows these messages to reach spam folders. It seems they know DMARC can't be fully trusted. Here is a redacted header list: ,--- Return-Path: <[email protected]> Received-Spf: pass (google.com: domain of [email protected] designates 208.69.40.156 as permitted sender) client-ip=208.69.40.156; Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 208.69.40.156 as permitted sender) [email protected]; dmarc=fail (p=REJECT dis=NONE) header.from=skycoast.us Authentication-Results: dragon.trusteddomain.org; sender-id=fail (NotPermitted) [email protected]; spf=fail (NotPermitted) [email protected] Authentication-Results: dragon.trusteddomain.org; sender-id=pass [email protected]; spf=pass [email protected] Message-Id: <[email protected]> Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) References: <[email protected]> <CAGGEJxYQkeDDFKPnLR9vU=01pCi73e0XODGVcd=p2a+910p...@mail.gmail.com> <[email protected]> <[email protected]>, <[email protected]> <[email protected]> <[email protected]> In-Reply-To: <[email protected]> X-Mailer: Apple Mail (2.1874) X-Beenthere: [email protected] X-Mailman-Version: 2.1.17 Precedence: list List-Id: Public DMARC draft discussions <dmarc-discuss.dmarc.org> Re: [dmarc-discuss] DMARC woes - forwarding signed / encrypted e-mail Security: Signed ([email protected]) '--- Here is what was seen in your DNS: _dmarc.skycoast.us. 1800 IN TXT "v=DMARC1\;p=reject\;pct=100\;rua=mailto:[email protected]"; skycoast.us. 1799 IN TXT "v=spf1 a mx ~all" skycoast.us. 1799 IN MX 10 secure.paul-scott.us. secure.paul-scott.us. 1799 IN CNAME paul-scott.us. paul-scott.us. 1799 IN TXT "v=spf1 a mx ~all" paul-scott.us. 1799 IN SOA NS1.DIGITALOCEAN.COM. hostmaster.paul-scott.us. 1398641398 3600 900 1209600 1800 paul-scott.us. 1799 IN MX 10 secure.paul-scott.us. paul-scott.us. 1799 IN A 198.199.100.11 While your SPF records offer SOFTFAIL, DMARC records offer REJECT. Setting SPF records for SOFTFAIL improves DMARC delivery rates, but does not help when a mailing-list is used. The mailing-lists is NOT in alignment with "dmarc.org" and very likely breaks DKIM signatures. Reconsider using CNAME for your mail host as well. See http://tools.ietf.org/html/rfc2181#section-10.3. It can lead to nasty mailing loops and might cause the record itself to be rejected! I am considering a cleanup of the original ID for TPA (third-party authorization) records to allow domains a means to selectively enable tens of thousands of specific domains with specific restrictions imposed, such as containing an aligned LIST-ID header field. Perhaps DMARC could signal its use in their record. This will allow Yahoo! a means to significantly limit damage caused by user accounts having been compromised along with their users' address books. The source must still authenticate, but specific exceptions can be made to retain mailing-list use. Just as Linkedin, PayPal, and now Google will discover, their users ended up still sending to mailing-lists, although I think Paypal managed to educate their users. It seems the DMARC mailing-list neglects to make that point, and hence your email being placed in a spam folder. It seems REJECT now means QUARANTINE. Regards, Douglas Otis
_______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
