In message <[email protected]>, Alan Hodgson writes: > On Wednesday 29 March 2017 14:28:30 Carl Byington wrote: > > For an example of that (unless I am misunderstanding something), we > > have: > > > > --> Hello marketo-email.box.com [192.28.147.169], pleased to meet you > > <-- MAIL FROM:<[email protected]> > > <-- RCPT TO: ... > > > > dkim pass header.d=mktdns.com > > rfc2822 from header = [email protected] > > > > > > dig _dmarc.email.box.com txt +short > > "v=DMARC1; p=reject; ..." > > > > dig email.box.com txt +short > > "v=spf1 ip4:192.28.147.168 -all"
Well you should be checking the correct TXT record for SPF. dig marketo-email.box.com txt +short "v=spf1 ip4:192.28.147.168 ip4:192.28.147.169 -all" > > So given the dmarc reject policy, it needs to pass either spf (which > > fails 192.28.147.168 != 192.28.147.169), or dkim (which fails since it > > is not signed by anything related to email.box.com. > > > > Am I missing something, or is that just broken? > > That appears to be broken. The -all on the SPF record alone breaks it, since > receivers should refuse it at that point. But yeah the DMARC is also broken. > > Interestingly, the mail I've seen recently from email.box.com has multiple > signatures, one of which is from email.box.com. And it originated from > 192.28.147.168. Weird. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected]
