On Tue, Jan 27, 2015 at 8:55 AM, John Schmerold <[email protected]> wrote:
> Everyday, my abuse mailbox is filled with messages from Microsoft, Google > and Yahoo (MGY) reporting that others have sent suspicious emails using our > domain. > > We have SPF & DKIM configured, not sure what if anything I should do with > these messages from MGY. > > What do you do with this information? Our primary domain is katy.com > <https://app.relateiq.com/r?url=http%3A%2F%2Fkaty.com%2F&t=AFwhZf2Zyl-jVo0saIOHrzk7KmTP-uK07oqzXPbiU7vUxOMIZpejOcpdOPMplV4iWs_2ZymOzzLCFCOrw9T9wvbqTjaKC-LD5qkrG54sDzoXq2iAW1eGCPtOPbOt1phaGOgR4t4MES7T> > I > believe we have it properly configured...perhaps not. > > I see you have enabled DMARC for your domain: _dmarc.katy.com descriptive text "v=DMARC1\;p=none\;pct=100\;rua=mailto: [email protected]\;ruf=mailto:[email protected]\;"; This configuration will cause you to receive reports of unauthorized domain use. The reports are generally useless to you, unless you have customers whom you might want to know are being phished via spoofing of your domain. If you have a genuine need to understand these reports, I suggest working with Agari (http://agari.com/what-we-do/ <https://app.relateiq.com/r?url=http%3A%2F%2Fagari.com%2Fwhat-we-do%2F&t=AFwhZf2Zyl-jVo0saIOHrzk7KmTP-uK07oqzXPbiU7vUxOMIZpejOcpdOPMplV4iWs_2ZymOzzLCFCOrw9T9wvbqTjaKC-LD5qkrG54sDzoXq2iAW1eGCPtOPbOt1phaGOgR4t4MES7T>), who suck in DMARC report data and make sense of it to help you improve your security. Otherwise, just turn off feedback reporting in DMARC by removing the ruf= setting. The aggregate reports are probably more than enough to give you a sense of whether there is a widespread attack on your domain: Do I want to receive Failure Reports (ruf=)? *No, you do not!* *(at least not initially)* Failure reports are very useful for forensic analysis to help identify both bugs in your own mail sending software and some kinds of phishing or other impersonation attacks, but... ...a failure report is sent immediately, every time a receiver rejects an email due to DMARC. The receiver may even send a report if the mail is accepted but one of the authentication mechanism does not pass the alignement test. A forensic report can be the complete copy of the rejected email in Abuse Reporting Format (ARF). You may think your sending practices are good, and there should be few emails rejected, but every email that spoofs your domain will be rejected too and you will get a copy. This could be several times the volume of your legitimate emails. So no, you do not want to receive Failure Reports until you are well prepared for them. The strategy we recommend is to first publish a simple record in monitor mode (i.e. "p=none") just to get aggregate reports. _dmarc.example.com IN TXT "v=DMARC1;p=none;pct=100;rua=mailto: [email protected]" Study the aggregate reports, understand your mail infrastructure, understand what would happen if you change the policy to reject, especially how many failure reports you are likely to receive. Once you are confident, add the "ruf=" tag pointing to a different mailbox than the rua= tag points to. If you get too many failure reports, this will not fill up the aggregate report mailbox, so you can keep your statistics running. _dmarc.example.com IN TXT "v=DMARC1;p=reject;pct=100;rua=mailto: [email protected];ruf=mailto:[email protected]"; -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
