Re: [dmarc-discuss] Why do I receive RUAs for emails that align?

2017-01-31 Thread Jim Popovitch via dmarc-discuss 
On Tue, Jan 31, 2017 at 11:14 PM, Roland Turner via dmarc-discuss
 wrote:
> Jim Popovitch wrote:
>
>
>> I rolled out additional DMARC support for Mailman (outbound alignment)
>> recently, and to be honest I'm not yet convinced that all receivers
>> have a clue when verifying alignment...
>
> Can you explain what difficulty you're describing here? From the examples
> that you linked I saw messages that had SPF passes, meaning that the DKIM
> result was not important (and quite possibly not tested or recorded).

The difficulty I have is exactly as you described.   I received a
DMARC report that says there is a DKIM failure, but what is not clear
is whether or not the email was "quite possibly not tested or
recorded".   That DMARC report is pointless without knowing more.

>> so it makes it much more
>> difficult, for me, to trust the data.So... imho it's a waste of
>> time/effort building an archive of suspect data until faith can be
>> established in what is reported.
>
> You certainly shouldn't spend time and effort on this if you're not deriving
> value from it. The idea of trusting the data is an unusual one in a DMARC
> context though. One of the things that DMARC reporting does is to expose the
> variability and complexity of real-world email systems, meaning that the
> data often requires human interpretation and even guesswork. DMARC reports
> should be treated as indicative rather than trustworthy, in any typical
> sense of that word. It is certainly to be taken for granted that there is
> incomplete and/or erroneous data in the reports.
>
> It occurs to me that you've not spelled out clearly what you're attempting
> to achieve with DMARC (or I missed your doing so). Doing so might surface an
> incorrect expectation on your part that might allow your difficulties to be
> resolved in one step.

In it's infancy DMARC was designed for transactional email, not human
generated content.   In those days pundits decreed that DMARC wasn't
for MLMs and that mailinglists would be whitelisted and treated with
special care.  As it turns out, the truth is somewhat different.  For
starters, a LOT of what a MLM does *is* transactional, so DMARC is a
perfect fit for at least that part of it.  In particular Mailman sends
a lot of transactional notifications (subscription notices, posting
notices, password reminders, etc.) and it never really mattered (until
now) that Mailman would have a Sender and From with different domains
(sitelist vs mailing list).   In order to improve longterm
deliverabilty it was (to me) imperative to fix the Mailman domain
alignment issues wrt notifications.   Now that that is coded, and
DMARC RRs published, it's working perfectly, save for the few "false
positive" failure reports. Of course, my interest has now turned to
trying to understand why XYZ determines there is a failure (was it a
DNS problem?, was there a middle man?, etc.).  The end goal being
perfect delivery, sans any problems or implication of there being a
problem needing investigation or effort on my part.

-Jim P.
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] opendkim-atpszone reproducibility and examples

2017-01-31 Thread Roland Turner via dmarc-discuss 
I'd suggest that reliance upon ADSP is unwise as - having being reclassified as 
historic - it could stop working at any time without warning. A better option 
might be to sign your reports with the DKIM signature of the reporting domain 
(i.e. sign with example.eu instead of example.com in your obscured example).


- Roland


From: dmarc-discuss  on behalf of SheridanJ 
West via dmarc-discuss 
Sent: Wednesday, 1 February 2017 00:53
Cc: dmarc-discuss@dmarc.org
Subject: Re: [dmarc-discuss] opendkim-atpszone reproducibility and examples


i appear to need atps records for google this is with atps dns text records and 
probably others

opendmarc-reports: sent report for gmail.com to 
mailauth-repo...@google.com (2.0.0 Ok: 
queued as x1)
Gmail
gmail.com
Gmail is email that's intuitive, efficient, and useful. 15 GB of storage, less 
spam, and mobile access.



postfix/smtp[28130]: x2: 
to=>,
relay=aspmx.l.google.com[66.102.1.26]:25, delay=0.87,
delays=0.13/0.01/0.25/0.48, dsn=2.0.0,
status=sent (250 2.0.0 OK xx xx - gsmtp)

without atps [results i got from last week]

postfix/smtp[5820]:
 x0: to=>,
relay=aspmx.l.google.com[74.125.71.26]:25, delay=1.1,
 delays=0.13/0.01/0.49/0.43, dsn=5.7.1, status=bounced
(host aspmx.l.google.com[74.125.71.26] said: 
550-5.7.1
Unauthenticated email from example.eu  is not accepted
due to 550-5.7.1 domain's DMARC policy.
Please contact the administrator of 550-5.7.1 example.eu
domain if this was a legitimate mail.

I used (appears to work) dns records

 _adsp._domainkey.example.eu.  "dkim=all 
atps=y; asl=example.com;"
http://example.com>>._atps.example.eu. 
"v=atps01; d=example.com;"

not work (or tried yet) the content made by openmarc-atpszone

v=ATPS1; d=example.net

The windows version appears to be the winner for syntax of atps.

although i can get sha1 domain name hashes from both with.

opendkim-atpszone -h sha1 -u example.com -A 
example.net


So most of opendkim-atpszone is best ignored it appears


On Tue, Jan 31, 2017 at 2:17 PM, Juri Haberland via dmarc-discuss 
> wrote:
SheridanJ West via dmarc-discuss wrote:
> I encountered a opendmarc bug that required adsp records as well to send
> dmarc reports and i had a fun time trying to reproduce the output for i do
> not know how long the url i mention will last.

> Is nearly the same but I am confused - is the web parser right and the
> opendkim-atpszone command wrong? with v=ATPS1

> I ask as this affects only dmarc reports (no i do not run 
> example.com) our
> normal email is sent ok

Even though this is not an OpenDMARC specific mailing list but a generic DMARC
discussion list, can you be a bit more specific in which way OpenDMARC reports
are affected by the differing output of the webtool vs. opendkim-atpszone?

  Juri

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Why do I receive RUAs for emails that align?

2017-01-31 Thread Jim Popovitch via dmarc-discuss 
On Tue, Jan 31, 2017 at 5:24 PM, Peter Gonzalez via dmarc-discuss
 wrote:
> On 2017 Jan 31, 05:59, Jim Popovitch wrote:
>> On Sat, Jan 28, 2017 at 1:49 AM, Dave Warren wrote:
>> > On Fri, Jan 27, 2017, at 04:23, Jim Popovitch wrote:
>> >
>> >> But what can you do about it?  What is the "value" of having that
>> >> information, and what is the "cost" of capturing it?
>> >
>> > To me, the value of these reports is pre-deployment, by carefully
>> > reviewing the reports you can identify any legitimate sources of mail
>> > which are not properly signed and aligned.
>>
>> I rolled out additional DMARC support for Mailman (outbound alignment)
>> recently, and to be honest I'm not yet convinced that all receivers
>> have a clue when verifying alignment... so it makes it much more
>> difficult, for me, to trust the data.So... imho it's a waste of
>> time/effort building an archive of suspect data until faith can be
>> established in what is reported.
>
> So what exactly did you do to "roll out additional DMARC support" in
> your Mailman setup?

Mailman has historically done some funky things with moderator/owner
notifications.   Depending on your Mailman config, mailman *might*
send list notifications in ways you might not expect.   I set out last
year to identify what I saw as bugs in the way Mailman sent
notifications differently than list traffic.   Those changes are
tracked here:
https://code.launchpad.net/~jimpop/mailman/virtual-notices


> I don't see why you suspect receivers of your mailing list traffic are
> doing it wrong when checking it for DMARC. Mailing list traffic is prone
> to fail DMARC checks in subtle ways.

It is disingenuous, imho, for a receiver to submit a DMARC report to a
sender if the subtle failures are receiver side or if those reports
don't contain enough information for the receiver to understand the
reason(s) for the subtle failure ("give me the RUF or STFU").  :-)

>> Here's a few examples for the same email:
>>
>> Hotmail gets it right:
>> http://domainmail.org/dmarc-reports/hotmail.com%21netcoolusers.org%211485698400%211485784800.xml
>>
>> ItaliaOnline gets it right:
>> http://domainmail.org/dmarc-reports/italiaonline.it%21netcoolusers.org%211485778386%211485778386.xml
>>
>> VirginMedia gets it wrong:
>> http://domainmail.org/dmarc-reports/virginmedia.co.uk%21netcoolusers.org%211485734404%211485820804.xml
>>
>> CSP-Net gets it wrong:
>> http://domainmail.org/dmarc-reports/bechu-vir0001.csp-net.ch%21netcoolusers.org%211485730804%211485817204.xml
>
> I see in those samples you provide that DKIM is failing for some
> messages. Could it be that some subscriber(s) to your mailing list has
> set up some kind of subject-tagging and ulterior forwarding when he
> receives your mailing list messages?

Great question, but you should ask Virgin Media or CSP-Net.   I'd bet
a few beers that the DKIM failures are due to those companies
injecting inbound msg headers before processing DMARC checksbut
without the RUF who really knowsand more importantly why should I
invest time/effort into tracking that "failure".

>> So it's 50/50 for the same small sample of list traffic.   Do I care,
>> sure!   If someone from Virgin Media or CSP-Net wants to explain the
>> failures (or send me the RUFs that I already ask for) then I am all
>> ears.   Until then, I remain a skeptic.  ;-)
>
> Skeptic about what: about those receivers ability to properly check
> DMARC, or about the usefulness to you of DMARC reporting?

Skeptic about the usefulness of the reporting.  As I said before, If 1
receiver shows alignment then my work is complete.

> It seems to me that DMARC reporting is all about statistics, and for
> statistics to be relevant you have to drown down the noise, and for that
> you need to have a big enough sample. The samples you provided are very
> small in the quantity of messages reported, so it could well be that
> you are seeing noise just now, and that you need a much bigger sample
> to reap the value of DMARC reporting.

I disagree.   The larger sample size is still statistically suspect
due to all the blind spots in the receiver generated data.   Just
knowing you have a 0.02% DKIM failure is meaningless without knowing
why.


> For example, see bullet point 3 here to read
> about the true value of DMARC reporting:
> https://blogs.msdn.microsoft.com/tzink/2016/09/27/how-we-moved-microsoft-com-to-a-pquarantine-dmarc-record/
>

That hurt my eyes to read. :-)   Did you not notice these 2
conflicting sentences in the first paragraph:

   "In case you hadn’t noticed, Microsoft recently published a DMARC record"

   "This means that any sender transmitting email either into
Microsoft’s corp mail servers..."


Hint: Microsoft's DMARC record is NOT used by senders transmitting
email to Microsoft.

-Jim P.

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE:

Re: [dmarc-discuss] Why do I receive RUAs for emails that align?

2017-01-31 Thread Peter Gonzalez via dmarc-discuss 
On 2017 Jan 31, 05:59, Jim Popovitch wrote:
> On Sat, Jan 28, 2017 at 1:49 AM, Dave Warren wrote:
> > On Fri, Jan 27, 2017, at 04:23, Jim Popovitch wrote:
> >
> >> But what can you do about it?  What is the "value" of having that
> >> information, and what is the "cost" of capturing it?
> >
> > To me, the value of these reports is pre-deployment, by carefully
> > reviewing the reports you can identify any legitimate sources of mail
> > which are not properly signed and aligned.
> 
> I rolled out additional DMARC support for Mailman (outbound alignment)
> recently, and to be honest I'm not yet convinced that all receivers
> have a clue when verifying alignment... so it makes it much more
> difficult, for me, to trust the data.So... imho it's a waste of
> time/effort building an archive of suspect data until faith can be
> established in what is reported.

So what exactly did you do to "roll out additional DMARC support" in
your Mailman setup?

I don't see why you suspect receivers of your mailing list traffic are
doing it wrong when checking it for DMARC. Mailing list traffic is prone
to fail DMARC checks in subtle ways.

> Here's a few examples for the same email:
> 
> Hotmail gets it right:
> http://domainmail.org/dmarc-reports/hotmail.com%21netcoolusers.org%211485698400%211485784800.xml
> 
> ItaliaOnline gets it right:
> http://domainmail.org/dmarc-reports/italiaonline.it%21netcoolusers.org%211485778386%211485778386.xml
> 
> VirginMedia gets it wrong:
> http://domainmail.org/dmarc-reports/virginmedia.co.uk%21netcoolusers.org%211485734404%211485820804.xml
> 
> CSP-Net gets it wrong:
> http://domainmail.org/dmarc-reports/bechu-vir0001.csp-net.ch%21netcoolusers.org%211485730804%211485817204.xml

I see in those samples you provide that DKIM is failing for some
messages. Could it be that some subscriber(s) to your mailing list has
set up some kind of subject-tagging and ulterior forwarding when he
receives your mailing list messages?

> So it's 50/50 for the same small sample of list traffic.   Do I care,
> sure!   If someone from Virgin Media or CSP-Net wants to explain the
> failures (or send me the RUFs that I already ask for) then I am all
> ears.   Until then, I remain a skeptic.  ;-)

Skeptic about what: about those receivers ability to properly check
DMARC, or about the usefulness to you of DMARC reporting?

It seems to me that DMARC reporting is all about statistics, and for
statistics to be relevant you have to drown down the noise, and for that
you need to have a big enough sample. The samples you provided are very
small in the quantity of messages reported, so it could well be that
you are seeing noise just now, and that you need a much bigger sample
to reap the value of DMARC reporting.

For example, see bullet point 3 here to read
about the true value of DMARC reporting:
https://blogs.msdn.microsoft.com/tzink/2016/09/27/how-we-moved-microsoft-com-to-a-pquarantine-dmarc-record/

Bye.

-- 
Peter Gonzalez
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] opendkim-atpszone reproducibility and examples

2017-01-31 Thread Benny Pedersen via dmarc-discuss 

A. Schulze via dmarc-discuss skrev den 2017-01-30 22:30:

Am 30.01.2017 um 21:40 schrieb SheridanJ West via dmarc-discuss:

I encountered a opendmarc bug that required adsp records

don't waste your time with ADSP, forget it.
it's deprecated and in fact dead


and spamassaasin does not care of that, where is the dmarc support for 
equant of adsp ?


on top of that dnssec is not very well tested, so most domains that have 
else working dkim key, is not careing of make dnssec working, sadly


i begin to hate dkim/dmarc/arc fucked brain dead solutions that is near 
killing mail systems that just like to have dkim pass and nothing more 
problems, sadly lowest commodity wins :(


i think its okay to say that here when i self do it right, no ?

time for me to take another beer :=)
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] opendkim-atpszone reproducibility and examples

2017-01-31 Thread Juri Haberland via dmarc-discuss 
SheridanJ West via dmarc-discuss wrote:
> I encountered a opendmarc bug that required adsp records as well to send
> dmarc reports and i had a fun time trying to reproduce the output for i do
> not know how long the url i mention will last.

> Is nearly the same but I am confused - is the web parser right and the
> opendkim-atpszone command wrong? with v=ATPS1

> I ask as this affects only dmarc reports (no i do not run example.com) our
> normal email is sent ok

Even though this is not an OpenDMARC specific mailing list but a generic DMARC
discussion list, can you be a bit more specific in which way OpenDMARC reports
are affected by the differing output of the webtool vs. opendkim-atpszone?

  Juri

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] A bit quiet?

2017-01-31 Thread Payne, John via dmarc-discuss 
On Jan 19, 2017, at 12:26 AM, Roland Turner via dmarc-discuss 
> wrote:


Brandon Long wrote:


> If you go to p=quarantine and pct=0, Google Groups will still do the 
> rewriting, but no one
> should enforce the quarantine.  I know this is true for our own code, but I 
> don't know how
> well others handle it to know if it's a safe thing to do or not.

That is excellent and revolting at the same time! Thank you.

And it did the trick.  Down to a manageable number of failures now, thanks for 
the hint Brandon :)


Thanks
John
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Why do I receive RUAs for emails that align?

2017-01-31 Thread Jim Popovitch via dmarc-discuss 
On Sat, Jan 28, 2017 at 1:49 AM, Dave Warren via dmarc-discuss
 wrote:
> On Fri, Jan 27, 2017, at 04:23, Jim Popovitch via dmarc-discuss wrote:
>> On Thu, Jan 26, 2017 at 11:13 PM, John Levine via dmarc-discuss
>>  wrote:
>> > I concur with Roland.  Looking at my failure reports, I see some from
>> > Hotmail and Linkedin and beyond that a few from Chinese and Russian
>> > ISPs generally reporting random spam that happened to randomly fake my
>> > domain.
>>
>> But what can you do about it?  What is the "value" of having that
>> information, and what is the "cost" of capturing it?
>
> To me, the value of these reports is pre-deployment, by carefully
> reviewing the reports you can identify any legitimate sources of mail
> which are not properly signed and aligned.
>
> As a company that currently has no employees beyond myself and only a
> few hundred clients, I was able to find a couple legitimate sources of
> mail coming from my own domain that had been previously overlooked.


I rolled out additional DMARC support for Mailman (outbound alignment)
recently, and to be honest I'm not yet convinced that all receivers
have a clue when verifying alignment... so it makes it much more
difficult, for me, to trust the data.So... imho it's a waste of
time/effort building an archive of suspect data until faith can be
established in what is reported.

Here's a few examples for the same email:

Hotmail gets it right:
http://domainmail.org/dmarc-reports/hotmail.com%21netcoolusers.org%211485698400%211485784800.xml

ItaliaOnline gets it right:
http://domainmail.org/dmarc-reports/italiaonline.it%21netcoolusers.org%211485778386%211485778386.xml

VirginMedia gets it wrong:
http://domainmail.org/dmarc-reports/virginmedia.co.uk%21netcoolusers.org%211485734404%211485820804.xml

CSP-Net gets it wrong:
http://domainmail.org/dmarc-reports/bechu-vir0001.csp-net.ch%21netcoolusers.org%211485730804%211485817204.xml


So it's 50/50 for the same small sample of list traffic.   Do I care,
sure!   If someone from Virgin Media or CSP-Net wants to explain the
failures (or send me the RUFs that I already ask for) then I am all
ears.   Until then, I remain a skeptic.  ;-)

-Jim P.
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] opendkim-atpszone reproducibility and examples

2017-01-31 Thread SheridanJ West via dmarc-discuss 
I would rather not rebuild our mail server(s) and the bits hanging off it
just to keep opendmarc-report functionality since they do everything else
ok.

Thanks.


On Mon, Jan 30, 2017 at 9:30 PM, A. Schulze via dmarc-discuss <
dmarc-discuss@dmarc.org> wrote:

>
>
> Am 30.01.2017 um 21:40 schrieb SheridanJ West via dmarc-discuss:
> > I encountered a opendmarc bug that required adsp records
> don't waste your time with ADSP, forget it.
> it's deprecated and in fact dead
>
> Andreas
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
>
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)