The spec very clearly states "Mail Receivers MAY choose to accept email that fails the DMARC mechanism check even if the Domain Owner has published a “reject” policy.” It includes a long list of PolicyOverrideTypes that you should report when you choose to override the published policy, which include forwarded and mailing_list. Handling these cases as dictated in the spec is hardly evidence that they consider it untrustworthy, it’s just following the spec. No one should find this surprising or controversial.
From: Terry Zink <[email protected]<mailto:[email protected]>> Date: Thursday, May 1, 2014 at 12:54 PM To: Douglas Otis <[email protected]<mailto:[email protected]>>, Paul Scott <[email protected]<mailto:[email protected]>> Cc: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [dmarc-discuss] DMARC woes - forwarding signed / encrypted e-mail > It seems gmail makes an exception that allows these messages to reach > spam folders. It seems they know DMARC can't be fully trusted. I remember reading somewhere about a year ago (can’t remember where, but it was on a mailing list) that Gmail overrides the DMARC reject policy and instead treats it as quarantine. -- Terry From: dmarc-discuss [mailto:[email protected]] On Behalf Of Douglas Otis Sent: Thursday, May 1, 2014 11:56 AM To: Paul Scott Cc: [email protected]<mailto:[email protected]> Subject: Re: [dmarc-discuss] DMARC woes - forwarding signed / encrypted e-mail On May 1, 2014, at 8:07 AM, Paul Scott <[email protected]<mailto:[email protected]>> wrote: As I understand it, and In my experience, p=reject on DKIM fail would cause a mail delivery failure by google's servers. The fact that it ends up in your spam folder rather than outright failure indicates to me that something other than p=reject is responsible. Still, I would be interested to see the raw e-mail with all its headers, for analysis, if you would please send it to me. Paul On Apr 30, 2014, at 9:44 PM, Scott Howard <[email protected]<mailto:[email protected]>> wrote: On Wed, Apr 30, 2014 at 8:05 PM, pscott <[email protected]<mailto:[email protected]>> wrote: On 4/30/2014 6:22 PM, Douglas Otis wrote: Skycoast.us<https://urldefense.proofpoint.com/v1/url?u=http://skycoast.us/&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=fAk2HhpwqneloqGEFXhAtQ%3D%3D%0A&m=ObHn%2FVT2WUGIlo5%2BdG2GbhnBBDZ%2FLI3APGQK1SJElME%3D%0A&s=3f234b19b9c6c73cd023591b020bf4067dfe41a8f29eb5bedb12d9650d4abaec> is using a DMARC p=reject with users sending to a mailing list. Really? I haven't seen any failures, yet. How about the fact that this and every other message I get from you ends up in my Google Apps spam folder? Be careful with this message. Our systems couldn't verify that this message was really sent by skycoast.us<https://urldefense.proofpoint.com/v1/url?u=http://skycoast.us/&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=fAk2HhpwqneloqGEFXhAtQ%3D%3D%0A&m=ObHn%2FVT2WUGIlo5%2BdG2GbhnBBDZ%2FLI3APGQK1SJElME%3D%0A&s=3f234b19b9c6c73cd023591b020bf4067dfe41a8f29eb5bedb12d9650d4abaec>. You might want to avoid clicking links or replying with personal information. Scott Dear Scott, I did not see a warning. I looked in the spam folder. It seems gmail makes an exception that allows these messages to reach spam folders. It seems they know DMARC can't be fully trusted. Here is a redacted header list: ,--- Return-Path: <[email protected]<mailto:[email protected]>> Received-Spf: pass (google.com<https://urldefense.proofpoint.com/v1/url?u=http://google.com&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=fAk2HhpwqneloqGEFXhAtQ%3D%3D%0A&m=ObHn%2FVT2WUGIlo5%2BdG2GbhnBBDZ%2FLI3APGQK1SJElME%3D%0A&s=0769a8f2eac65ce2283da3af7910b5194cee9c9a0a1893e4db073482f9cbcc2d>: domain of [email protected]<mailto:[email protected]> designates 208.69.40.156 as permitted sender) client-ip=208.69.40.156; Authentication-Results: mx.google.com<https://urldefense.proofpoint.com/v1/url?u=http://mx.google.com&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=fAk2HhpwqneloqGEFXhAtQ%3D%3D%0A&m=ObHn%2FVT2WUGIlo5%2BdG2GbhnBBDZ%2FLI3APGQK1SJElME%3D%0A&s=4d059bae2ac8b862ac229fe90796776f78b670966b591a00731a4442777c6ae5>; spf=pass (google.com<https://urldefense.proofpoint.com/v1/url?u=http://google.com&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=fAk2HhpwqneloqGEFXhAtQ%3D%3D%0A&m=ObHn%2FVT2WUGIlo5%2BdG2GbhnBBDZ%2FLI3APGQK1SJElME%3D%0A&s=0769a8f2eac65ce2283da3af7910b5194cee9c9a0a1893e4db073482f9cbcc2d>: domain of [email protected]<mailto:[email protected]> designates 208.69.40.156 as permitted sender) [email protected]<mailto:[email protected]>; dmarc=fail (p=REJECT dis=NONE) header.from=skycoast.us<https://urldefense.proofpoint.com/v1/url?u=http://skycoast.us&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=fAk2HhpwqneloqGEFXhAtQ%3D%3D%0A&m=ObHn%2FVT2WUGIlo5%2BdG2GbhnBBDZ%2FLI3APGQK1SJElME%3D%0A&s=55948d0b4a18882402832f6c42395e0489286da61bfa9d1ce6943edef47236f0> Authentication-Results: dragon.trusteddomain.org<https://urldefense.proofpoint.com/v1/url?u=http://dragon.trusteddomain.org&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=fAk2HhpwqneloqGEFXhAtQ%3D%3D%0A&m=ObHn%2FVT2WUGIlo5%2BdG2GbhnBBDZ%2FLI3APGQK1SJElME%3D%0A&s=01e6301e566089cb6081132282fb241f518390a393b5c531f22e9c3ce475c99e>; sender-id=fail (NotPermitted) [email protected]<mailto:[email protected]>; spf=fail (NotPermitted) [email protected]<mailto:[email protected]> Authentication-Results: dragon.trusteddomain.org<https://urldefense.proofpoint.com/v1/url?u=http://dragon.trusteddomain.org&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=fAk2HhpwqneloqGEFXhAtQ%3D%3D%0A&m=ObHn%2FVT2WUGIlo5%2BdG2GbhnBBDZ%2FLI3APGQK1SJElME%3D%0A&s=01e6301e566089cb6081132282fb241f518390a393b5c531f22e9c3ce475c99e>; sender-id=pass [email protected]<mailto:[email protected]>; spf=pass [email protected]<mailto:[email protected]> Message-Id: <[email protected]<mailto:[email protected]>> Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) References: <[email protected]<mailto:[email protected]>> <CAGGEJxYQkeDDFKPnLR9vU=01pCi73e0XODGVcd=p2a+910p...@mail.gmail.com<mailto:CAGGEJxYQkeDDFKPnLR9vU=01pCi73e0XODGVcd=p2a+910p...@mail.gmail.com>> <[email protected]<mailto:[email protected]>> <[email protected]<mailto:[email protected]>>, <[email protected]<mailto:[email protected]>> <[email protected]<mailto:[email protected]>> <[email protected]<mailto:[email protected]>> In-Reply-To: <[email protected]<mailto:[email protected]>> X-Mailer: Apple Mail (2.1874) X-Beenthere: [email protected]<mailto:[email protected]> X-Mailman-Version: 2.1.17 Precedence: list List-Id: Public DMARC draft discussions <dmarc-discuss.dmarc.org<https://urldefense.proofpoint.com/v1/url?u=http://dmarc-discuss.dmarc.org&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=fAk2HhpwqneloqGEFXhAtQ%3D%3D%0A&m=ObHn%2FVT2WUGIlo5%2BdG2GbhnBBDZ%2FLI3APGQK1SJElME%3D%0A&s=38da45141aaae95e3e7808a3bdcbc19f793df86816ffb134cb0f24e814ff3d5c>> Re: [dmarc-discuss] DMARC woes - forwarding signed / encrypted e-mail Security: Signed ([email protected]<mailto:[email protected]>) '--- Here is what was seen in your DNS: _dmarc.skycoast.us<https://urldefense.proofpoint.com/v1/url?u=http://dmarc.skycoast.us&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=fAk2HhpwqneloqGEFXhAtQ%3D%3D%0A&m=ObHn%2FVT2WUGIlo5%2BdG2GbhnBBDZ%2FLI3APGQK1SJElME%3D%0A&s=dc4a9e6304b3b005f81ef2f0621817e726900a034185e814e77b391ac147afb5>.1800 IN TXT "v=DMARC1\;p=reject\;pct=100\;rua=mailto:[email protected]"; skycoast.us<https://urldefense.proofpoint.com/v1/url?u=http://skycoast.us&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=fAk2HhpwqneloqGEFXhAtQ%3D%3D%0A&m=ObHn%2FVT2WUGIlo5%2BdG2GbhnBBDZ%2FLI3APGQK1SJElME%3D%0A&s=55948d0b4a18882402832f6c42395e0489286da61bfa9d1ce6943edef47236f0>. 1799 IN TXT "v=spf1 a mx ~all" skycoast.us<https://urldefense.proofpoint.com/v1/url?u=http://skycoast.us&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=fAk2HhpwqneloqGEFXhAtQ%3D%3D%0A&m=ObHn%2FVT2WUGIlo5%2BdG2GbhnBBDZ%2FLI3APGQK1SJElME%3D%0A&s=55948d0b4a18882402832f6c42395e0489286da61bfa9d1ce6943edef47236f0>. 1799 IN MX 10 secure.paul-scott.us<https://urldefense.proofpoint.com/v1/url?u=http://secure.paul-scott.us&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=fAk2HhpwqneloqGEFXhAtQ%3D%3D%0A&m=ObHn%2FVT2WUGIlo5%2BdG2GbhnBBDZ%2FLI3APGQK1SJElME%3D%0A&s=9618ba987869f38e57af5fff67af104b338bd58948d2f67c168d438c55272538>. secure.paul-scott.us<https://urldefense.proofpoint.com/v1/url?u=http://secure.paul-scott.us&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=fAk2HhpwqneloqGEFXhAtQ%3D%3D%0A&m=ObHn%2FVT2WUGIlo5%2BdG2GbhnBBDZ%2FLI3APGQK1SJElME%3D%0A&s=9618ba987869f38e57af5fff67af104b338bd58948d2f67c168d438c55272538>. 1799 IN CNAME paul-scott.us<https://urldefense.proofpoint.com/v1/url?u=http://paul-scott.us&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=fAk2HhpwqneloqGEFXhAtQ%3D%3D%0A&m=ObHn%2FVT2WUGIlo5%2BdG2GbhnBBDZ%2FLI3APGQK1SJElME%3D%0A&s=a1d11ddd160d0e7bdebcafe759de91279c1af71d8454107086a9d668fcdc3461>. paul-scott.us<https://urldefense.proofpoint.com/v1/url?u=http://paul-scott.us&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=fAk2HhpwqneloqGEFXhAtQ%3D%3D%0A&m=ObHn%2FVT2WUGIlo5%2BdG2GbhnBBDZ%2FLI3APGQK1SJElME%3D%0A&s=a1d11ddd160d0e7bdebcafe759de91279c1af71d8454107086a9d668fcdc3461>. 1799 IN TXT "v=spf1 a mx ~all" paul-scott.us<https://urldefense.proofpoint.com/v1/url?u=http://paul-scott.us&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=fAk2HhpwqneloqGEFXhAtQ%3D%3D%0A&m=ObHn%2FVT2WUGIlo5%2BdG2GbhnBBDZ%2FLI3APGQK1SJElME%3D%0A&s=a1d11ddd160d0e7bdebcafe759de91279c1af71d8454107086a9d668fcdc3461>. 1799 IN SOA NS1.DIGITALOCEAN.COM<https://urldefense.proofpoint.com/v1/url?u=http://NS1.DIGITALOCEAN.COM&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=fAk2HhpwqneloqGEFXhAtQ%3D%3D%0A&m=ObHn%2FVT2WUGIlo5%2BdG2GbhnBBDZ%2FLI3APGQK1SJElME%3D%0A&s=32604f9a4339b9e82d549a3853820656b6d8c43f58c9ce3e6e54d155461cba7e>. hostmaster.paul-scott.us<https://urldefense.proofpoint.com/v1/url?u=http://hostmaster.paul-scott.us&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=fAk2HhpwqneloqGEFXhAtQ%3D%3D%0A&m=ObHn%2FVT2WUGIlo5%2BdG2GbhnBBDZ%2FLI3APGQK1SJElME%3D%0A&s=de9f9af31f2660b589359629b7dab958413f5234ecf74eb218de5cda6fd2be6f>. 1398641398 3600 900 1209600 1800 paul-scott.us<https://urldefense.proofpoint.com/v1/url?u=http://paul-scott.us&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=fAk2HhpwqneloqGEFXhAtQ%3D%3D%0A&m=ObHn%2FVT2WUGIlo5%2BdG2GbhnBBDZ%2FLI3APGQK1SJElME%3D%0A&s=a1d11ddd160d0e7bdebcafe759de91279c1af71d8454107086a9d668fcdc3461>. 1799 IN MX 10 secure.paul-scott.us<https://urldefense.proofpoint.com/v1/url?u=http://secure.paul-scott.us&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=fAk2HhpwqneloqGEFXhAtQ%3D%3D%0A&m=ObHn%2FVT2WUGIlo5%2BdG2GbhnBBDZ%2FLI3APGQK1SJElME%3D%0A&s=9618ba987869f38e57af5fff67af104b338bd58948d2f67c168d438c55272538>. paul-scott.us<https://urldefense.proofpoint.com/v1/url?u=http://paul-scott.us&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=fAk2HhpwqneloqGEFXhAtQ%3D%3D%0A&m=ObHn%2FVT2WUGIlo5%2BdG2GbhnBBDZ%2FLI3APGQK1SJElME%3D%0A&s=a1d11ddd160d0e7bdebcafe759de91279c1af71d8454107086a9d668fcdc3461>. 1799 IN A 198.199.100.11 While your SPF records offer SOFTFAIL, DMARC records offer REJECT. Setting SPF records for SOFTFAIL improves DMARC delivery rates, but does not help when a mailing-list is used. The mailing-lists is NOT in alignment with "dmarc.org<https://urldefense.proofpoint.com/v1/url?u=http://dmarc.org&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=fAk2HhpwqneloqGEFXhAtQ%3D%3D%0A&m=ObHn%2FVT2WUGIlo5%2BdG2GbhnBBDZ%2FLI3APGQK1SJElME%3D%0A&s=5550567eabccdae8169fdd1caf83f5e38275db6e7955ec6749d2451419daaa72>" and very likely breaks DKIM signatures. Reconsider using CNAME for your mail host as well. See http://tools.ietf.org/html/rfc2181#section-10.3<https://urldefense.proofpoint.com/v1/url?u=http://tools.ietf.org/html/rfc2181%23section-10.3&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=fAk2HhpwqneloqGEFXhAtQ%3D%3D%0A&m=ObHn%2FVT2WUGIlo5%2BdG2GbhnBBDZ%2FLI3APGQK1SJElME%3D%0A&s=a3d0ddd942d9a741777579d538a60b940c46d683db366d141d4ee6eba232f6eb>. It can lead to nasty mailing loops and might cause the record itself to be rejected! I am considering a cleanup of the original ID for TPA (third-party authorization) records to allow domains a means to selectively enable tens of thousands of specific domains with specific restrictions imposed, such as containing an aligned LIST-ID header field. Perhaps DMARC could signal its use in their record. This will allow Yahoo! a means to significantly limit damage caused by user accounts having been compromised along with their users' address books. The source must still authenticate, but specific exceptions can be made to retain mailing-list use. Just as Linkedin, PayPal, and now Google will discover, their users ended up still sending to mailing-lists, although I think Paypal managed to educate their users. It seems the DMARC mailing-list neglects to make that point, and hence your email being placed in a spam folder. It seems REJECT now means QUARANTINE. Regards, Douglas Otis
_______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
