[dmarc-discuss] Gmail making email more secure with MTA-STS standard

2019-04-18 Thread Denis Salicetti via dmarc-discuss
Hi guys,
I'm writing in reference to MTA-STS standard just implemented by Google.
I read the following post but honestly, I didn't realize properly how to
put it in place and what all the implications are. Any suggestions about it?


*https://security.googleblog.com/2019/04/gmail-making-email-more-secure-with-mta.html
*

Is MAAWG going to cover this topic soon?

I look forward to hearing from you.

Regards

*Denis Salicetti*
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Suggested DMARC policy for PEC (Italian certified e-mail)

2018-02-22 Thread Denis Salicetti via dmarc-discuss
Hi guys,
I think I can consider both suggestions, but I need to know whether what I
think is a good solution.

As I already said I set up SPF, DKIM and DMARC for salicetti.it (Google is
the standard email provider) and the actual policy is (sp=reject; p=reject).

PEC email provider (obviously is not Google but another one certified by
the government) told me that I can set up SPF record for sub-domain
pec.salicetti.it but no DKIM.

Said that I've been thinking to proceed that way:

   1. keep for salicetti.it (sp=reject; p=reject) to preserve sub-domains
   close and safe.
   2. publish an explicit record SPF for pec.salicetti.it as suggested by
   PEC email provider (v=spf1 include:pec.spf.kqi.it -all).
   3. publish an explicit record DMARC for pec.salicetti.it (v=DMARC1;
   p=reject; pct=100; fo=1; rua=x...@zzz.yy; ruf=x...@zzz.yy;).

Is this a good solution? More suggestions?

*Denis Salicetti <http://linkedin.salicetti.it/>*

2018-02-15 16:47 GMT+01:00 Al Iverson via dmarc-discuss <
dmarc-discuss@dmarc.org>:

> On the flip side of that, you might want to consider implementing p=reject
> on the PEC sub-domain, since perhaps you don't want to deliver mail
> claiming to be PEC mail if authentication fails. Wouldn't the three primary
> reasons for DMARC failure be, DKIM signature mangling, email forwarding, or
> spoofing? Only one of those (email forwarding) are likely to be legit/safe
> messages.
>
> Cheers,
> Al Iverson
>
> On Thu, Feb 15, 2018 at 9:40 AM, Todd Weltz via dmarc-discuss <
> dmarc-discuss@dmarc.org> wrote:
>
>> Hi Denis,
>>
>> For now, rather than leaving all sub-domains open, I would recommend
>> publishing an explicit record for pec.salicetti.it with a p=none and
>> setting salicetti.it back to sp=reject.  This will put the reject policy
>> back in place for all other potential sub-domains, but the explicit record
>> for pec.salicetti.it will mean that it will not inherit the sub-domain
>> policy from salicetti.it
>>
>> It sounds like deliverability is absolutely critical on these messages so
>> possibly you wouldn't move forward with a stronger DMARC policy on this
>> sub-domain.  But potentially you could check with the Certified Email
>> Provider to see if they have options to authenticate the mail.
>>
>> Regards,
>> Todd Weltz
>>
>> On Thu, Feb 15, 2018 at 9:02 AM, Denis Salicetti via dmarc-discuss <
>> dmarc-discuss@dmarc.org> wrote:
>>
>>> Hi,
>>> I need a suggestion about a particular thing.
>>>
>>> In Italy, there is a "special" type of e-mail called PEC (certified
>>> e-mail). This is the equivalent of a traditional registered mail with
>>> return receipt. It is mandatory for all companies (legal stuff between them
>>> or government). Basically, you get an electronic receipt every time a
>>> message has been received by recipient's domain server (as a proof that you
>>> got the message). More info here: https://en.wikipedia.org/wiki/
>>> Certified_email
>>>
>>> The address format must be em...@pec.domain.it
>>>
>>> I always used this configuration for salicetti.it (sp=reject; p=reject)
>>> with no problem, but now I have to decide what to do for
>>> pec.salicetti.it. For the moment I've changed it with (sp=none;
>>> p=reject).
>>>
>>> Said that I would like to know how to setup correctly DMARC policy for
>>> this subdomain (pro and con). What do you suggest? Did any Italian members
>>> of this list do that so far?
>>>
>>> I'm looking forward to your kind reply.
>>>
>>> Best regards.
>>>
>>> Denis Salicetti
>>>
>>> ___
>>> dmarc-discuss mailing list
>>> dmarc-discuss@dmarc.org
>>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>>
>>> NOTE: Participating in this list means you agree to the DMARC Note Well
>>> terms (http://www.dmarc.org/note_well.html)
>>>
>>
>>
>>
>> --
>> Todd Weltz, Customer Success Engineer
>> twe...@agari.com  l M: 416.471.8633 <(416)%20471-8633> l www.agari.com
>> Changing Email Security For Good
>>
>> ___
>> dmarc-discuss mailing list
>> dmarc-discuss@dmarc.org
>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>
>> NOTE: Participating in this list means you agree to the DMARC Note Well
>> terms (http://www.dmarc.org/note_well.html)
>>
>
>
>
> --
> al iverson // wombatmail // miami
> http://www.aliverson.com
> http://www.spamresource.com
>
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
>
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

[dmarc-discuss] Suggested DMARC policy for PEC (Italian certified e-mail)

2018-02-15 Thread Denis Salicetti via dmarc-discuss
Hi,
I need a suggestion about a particular thing.

In Italy, there is a "special" type of e-mail called PEC (certified
e-mail). This is the equivalent of a traditional registered mail with
return receipt. It is mandatory for all companies (legal stuff between them
or government). Basically, you get an electronic receipt every time a
message has been received by recipient's domain server (as a proof that you
got the message). More info here:
https://en.wikipedia.org/wiki/Certified_email

The address format must be em...@pec.domain.it

I always used this configuration for salicetti.it (sp=reject; p=reject)
with no problem, but now I have to decide what to do for pec.salicetti.it.
For the moment I've changed it with (sp=none; p=reject).

Said that I would like to know how to setup correctly DMARC policy for this
subdomain (pro and con). What do you suggest? Did any Italian members of
this list do that so far?

I'm looking forward to your kind reply.

Best regards.

Denis Salicetti
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Strange behaviour with Google calendar notifications

2016-12-07 Thread Denis Salicetti via dmarc-discuss
Hi Guys,
the problem with the 2048-bit DKIM key has been resolved. Now I can see it
valid and Google calendar notifications have been resolved as well.

Thank you very much.

*Denis Salicetti* <http://linkedin.salicetti.it/>

Avviso di riservatezza <http://goo.gl/zS2xL> | Inviami messaggi protetti
<http://goo.gl/LbhIoi>

2016-12-06 22:01 GMT+01:00 Sim via dmarc-discuss :

> Hi Denis,
>
> Am 06.12.2016 um 20:58 schrieb Denis Salicetti via dmarc-discuss:
> >
> > I tried to verify if all the DNS records of my domain (SPF, DKIM and
> > DMARC) were good and I found out that the 2048-bit DKIM key was no
> > longer valid. This is strange because it was good so far, so I decided
> > to contact my DNS provider.
> That's odd. [Protodave's
> keychecker](https://protodave.com/tools/dkim-key-checker/?
> selector=google&domain=galeati.it)
> is still showing the string 'CEji' while I cannot find it in here.
>
> $ dig +short google._domainkey.galeati.it txt @ns1.acantho.net|grep CEji
> $ dig +short google._domainkey.galeati.it txt @ns3.acantho.net|grep CEji
>
> It is a valid pubkey without the 'i':
> -BEGIN PUBLIC KEY-
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkx5rG60SwrFaFctJVHSF
> JRxylWDdjj3KMo8uDLoVn1CEjB5FbeJKE1I0huUA3m5GLaTyXEr8d61G9kTiQUpr
> uCCyKm83dIPv1gerCNivnBs0keWTBt8oaQzXEkxfFN9IFvS1/okcSOz5GwqKHsFZ
> BKSQE+VPpXcMwsgY5ECKlByKjE9LEi2jxud1R5p8GFCUHHYICGOvNwOk0K0eCC7v
> K6rNWxuP86nuYWSYaKTJIfZgCp7FanUg3DuyTSOiN9vwfUceexEk3H2Zn242/pi2
> HYozvTLY7Gw2MtQ7YVNvmfivbc1p2hwrbLnZkW3mKvBDofo08K76US66c2qyVn4z
> cQIDAQAB
> -END PUBLIC KEY-
>
> I guess caching is playing tricks and you fixed it already?
>
> Simon
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
>
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Strange behaviour with Google calendar notifications

2016-12-06 Thread Denis Salicetti via dmarc-discuss
Hi Guys,
all your suggestions led me to identify a possible cause.

I tried to verify if all the DNS records of my domain (SPF, DKIM and DMARC)
were good and I found out that the 2048-bit DKIM key was no longer valid.
This is strange because it was good so far, so I decided to contact my DNS
provider.

It seems something is wrong with their system because all of the sudden it
breaks the 2048-bit DKIM key. This doesn't occur with the 1024-bit DKIM key.

I'll let you know when it fixed.

Thank you very much.

*Denis Salicetti* 

Avviso di riservatezza  | Inviami messaggi protetti


2016-12-06 8:14 GMT+01:00 Dave Warren via dmarc-discuss <
dmarc-discuss@dmarc.org>:

> On Mon, Dec 5, 2016, at 16:57, Steve Atkins via dmarc-discuss wrote:
> >
> > > On Dec 5, 2016, at 4:36 PM, Dave Warren via dmarc-discuss <
> dmarc-discuss@dmarc.org> wrote:
> > >
> > > On Mon, Dec 5, 2016, at 16:20, Steve Atkins via dmarc-discuss wrote:
> > >>
> > >> Mail from within Google to other places within Google may not cross
> the
> > >> external, non-ten-dot internet at all - and so cannot comply with your
> > >> SPF requirement. From your forwarded error that looks like it may be
> > >> what's happening.
> > >>
> > >> Should that cause a DMARC failure? Probably, yes. This may not be a
> good
> > >> domain to publish a DMARC p=reject message for.
> > >>
> > >> The only people who can fix it (other than you by removing your DMARC
> > >> records) are probably Google support, given they're your vendor for
> both
> > >> the sender and the recipient.
> > >
> > > Oh shoot, I missed the TXT file. Okay, looking at the headers:
> > >
> > > From: denis.salice...@galeati.it
> > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
> > >d=galeati.it; s=google;
> > >
> > > That looks like message did get DKIM signed and is aligned to the From
> > > header, so shouldn't that be enough to pass DMARC in this case, even if
> > > SPF fails?
> >
> > Should be, assuming it's a valid signature (and there's no reason to
> > think it isn't).
> >
> > *But* in this case, the lack of Authentication-Results header makes me
> suspect
> > DKIM may be checked at an external MX that this internal-only message
> didn't
> > go through, leading to an authentication failure that parallels the SPF
> > one.
>
> I had the same thought, but, the attached bounce wouldn't necessarily
> have an Authentication-Results header yet if the message is rejected by
> the server that should be responsible for adding said header.
>
> Either way, it's all on Google, hopefully their customer support will be
> competent.
>
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
>
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

[dmarc-discuss] Strange behaviour with Google calendar notifications

2016-12-05 Thread Denis Salicetti via dmarc-discuss
Hi Guys,
I am having a strange behaviour with Google Calendar.

Since I decided to set p=reject to my domain (galeati.it), every time I
share a calendar with another user, Google notification (attached) gets
rebounded immediately. I think this should not happen because my SPF record
include: _spf.google.com ~all

Any suggestions?

Thanks

*Denis Salicetti* 

Avviso di riservatezza  | Inviami messaggi protetti

Delivered-To: denis.salice...@galeati.it
Received: by 10.36.84.199 with SMTP id t190csp2419760ita;
Mon, 5 Dec 2016 13:07:51 -0800 (PST)
X-Received: by 10.25.162.198 with SMTP id l189mr21596751lfe.50.1480972071748;
Mon, 05 Dec 2016 13:07:51 -0800 (PST)
Return-Path: <>
Received: from mail-lf0-x248.google.com (mail-lf0-x248.google.com. 
[2a00:1450:4010:c07::248])
by mx.google.com with ESMTPS id c6si7911380lfk.196.2016.12.05.13.07.51
for 
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Mon, 05 Dec 2016 13:07:51 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of 
postmas...@mail-lf0-x248.google.com designates 2a00:1450:4010:c07::248 as 
permitted sender) client-ip=2a00:1450:4010:c07::248;
Authentication-Results: mx.google.com;
   dkim=pass header.i=@google.com;
   spf=pass (google.com: best guess record for domain of 
postmas...@mail-lf0-x248.google.com designates 2a00:1450:4010:c07::248 as 
permitted sender) smtp.helo=mail-lf0-x248.google.com;
   dmarc=pass (p=REJECT dis=NONE) header.from=google.com
Received: by mail-lf0-x248.google.com with SMTP id 98so129410112lfs.0
for ; Mon, 05 Dec 2016 13:07:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=20120113;
h=mime-version:from:to:auto-submitted:subject:references:in-reply-to
 :message-id:date;
bh=WjeafjtzYJ2RaRnVhcw2PgU3Zvui/jV66Ht9W0OJbLM=;
b=IKoTYY4THK5Dm3MuHZhWgns1VDIvq0AkOXVHeW+5gHZD6B5RWOQXPl8xT8h0ieS7/T
 l/oX+xpm5DfvUb6V1eOhNqQuvP4Ar3Gh/Ciz6o++wgLfU4LN0DKCqc+j1ZmBmm7u/hFW
 9TGpt4iHJEHGy8chlvUpgiOfksPkmVsql4crJUUmFfN1XTJBqKolehiRdQ2RXxGJSfAE
 +vdNnfZ5wKPzFrDWOayNz37DGelOn2MGhnsHIr3XLUftBVvo3kvrcdGNIBj8hLMf7Jdz
 L/c9JTTQj++7wZ2D8W83vVXyyncrjrOdhFgd/WF/YcZJeUSSAnKYA20te0kpRQ72/5uc
 jmtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:mime-version:from:to:auto-submitted:subject
 :references:in-reply-to:message-id:date;
bh=WjeafjtzYJ2RaRnVhcw2PgU3Zvui/jV66Ht9W0OJbLM=;
b=mvR3x/M3Ds4rP67zAY1gyV9yfwPtixwMHtIbQL4e/Jn5VIuAwPBN1x33ZGvphGoNdw
 lagND33nszcV2rz35LnZbz72NsI2ASGgEbAUW0wTBoTdp9PbNERjzgm8vV40AweqnzG4
 eenQQ0O3zg9qlSIsSM2x3suQzqiU5JCEmV5ZCV/Wrbs5btACku6A59Uky7oOLpR609Fk
 oG87PnylvYpEycLUSCNLMnUpkLmDhueObZs+FWItUvPHIB3H3D+9YBpxUQ6BO8psYwKU
 ls2lA+gWRg+ZRkuOAXrJX1owoSSADXpW4k03F2+2U1kb0rS1r2GA0kKB4vgpIPZvYdRG
 ORMQ==
X-Gm-Message-State: 
AKaTC034QfOq3WBdEv6iUpx2RvdYOucn1SqwOVqHrUFaQrQW6/0A2H+eS1UfwvPPoDSxVVQkdw8W+ZJO9kAxZDw=
X-Received: by 10.25.219.143 with SMTP id t15mr5434098lfi.28.1480972071494;
Mon, 05 Dec 2016 13:07:51 -0800 (PST)
Received: by 10.194.205.98 with SMTP id lf2am110904wjc.0
 Mon, 05 Dec 2016 13:07:51 -0800 (PST)
X-Received: by 10.194.201.132 with SMTP id ka4mr2063524wjc.13.1480972071392;
Mon, 05 Dec 2016 13:07:51 -0800 (PST)
MIME-Version: 1.0
Return-Path: <>
Received: by 10.194.201.132 with SMTP id ka4mr5518189wjc.13; Mon, 05 Dec 2016
 13:07:51 -0800 (PST)
From: Mail Delivery Subsystem 
To: 
3jtdfwa8kd7mwxgbl.ltebvxmmbztextmb.bmwxgbl.ltebvxmmbmtzt...@calendar-server.bounces.google.com
Auto-Submitted: auto-replied
Subject: Delivery Status Notification (Failure)
References: <047d7bae438e33f86e0542efa...@google.com>
In-Reply-To: <047d7bae438e33f86e0542efa...@google.com>
X-Failed-Recipients: denis.salice...@taga.it
Message-ID: <047d7bae438e3cd57b0542efa...@google.com>
Date: Mon, 05 Dec 2016 21:07:51 +
Content-Type: text/plain; charset=UTF-8

Delivery to the following recipient failed permanently:

 denis.salice...@taga.it

Technical details of permanent failure: 
Google tried to deliver your message, but it was rejected by the server for the 
recipient domain taga.it by aspmx.l.google.com. [2a00:1450:400c:c0b::1b].

The error that the other server returned was:
550-5.7.1 Unauthenticated email from galeati.it is not accepted due to domain's
550-5.7.1 DMARC policy. Please contact the administrator of galeati.it domain
550-5.7.1 if this was a legitimate mail. Please visit
550-5.7.1  https://support.google.com/mail/answer/2451690 to learn about the
550 5.7.1 DMARC initiative. s5si431969wma.51 - gsmtp


- Original message -

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=20120113;
h=mime-version:reply-to:sender:auto-submitted:messag

Re: [dmarc-discuss] I need an advice

2016-02-09 Thread Denis Salicetti via dmarc-discuss
Hi Franck,
you were right. After a couple of weeks introducing reject policy, I
noticed a decrease of Threat/Unknown sources and now I get just a few of
those. It worked!

Thank you very much.

*Denis Salicetti* <http://linkedin.salicetti.it/>

Avviso di riservatezza <http://goo.gl/zS2xL> | Inviami messaggi protetti
<http://goo.gl/LbhIoi>

2016-01-19 23:13 GMT+01:00 Franck Martin :

> If you report for take down the URLs you get from the failure reports...
> Also until you moved to p=reject they would not have noticed a decrease in
> their success rates... Once it is not worth it, they will move to a softer
> target, or use a different method to achieve their goals.
>
> On Mon, Jan 18, 2016 at 3:54 PM, Denis Salicetti via dmarc-discuss <
> dmarc-discuss@dmarc.org> wrote:
>
>> Hi Jacob,
>> thank you for your right consideration about the increase of the
>> deployment and implementation of DMARC reporting, because I think for me it
>> will be useful for a better assessment in future.
>>
>> In this particular moment though, DMARC reporting for my domain is more o
>> less the same of always.
>>
>> Best Regards.
>>
>> *Denis Salicetti* <http://linkedin.salicetti.it/>
>>
>> Avviso di riservatezza <http://goo.gl/zS2xL> | Inviami messaggi protetti
>> <http://goo.gl/LbhIoi>
>>
>> 15251a1f17561224
>>
>> 2016-01-18 16:46 GMT+01:00 Jacob Evans :
>>
>> Another thing to consider is the increase of the deployment and
>>> implementation of dmarc reporting, as more SMTP Servers report spf/dkim
>>> failures, those numbers will also increase in the report aggregation.
>>>
>>> My $.02
>>> ~Jake
>>>
>>> Thank You,
>>>
>>> Jacob D. Evans
>>> Cloud Consultant
>>> 717.417.8324
>>> <http://twitter.jacobdevans.com> <http://facebook.jacobdevans.com>
>>> <http://www.jacobdevans.com> <http://linkedin.jacobdevans.com>
>>> 
>>>
>>> --
>>> *From: *"Denis Salicetti via dmarc-discuss" 
>>> *To: *"Matt Simerson" 
>>> *Cc: *"Denis Salicetti via dmarc-discuss" 
>>> *Sent: *Monday, January 18, 2016 10:36:58 AM
>>> *Subject: *Re: [dmarc-discuss] I need an advice
>>>
>>> Hi Matt,
>>> thank you very much for your kind reply.
>>>
>>> Best Regards.
>>>
>>> *Denis Salicetti* <http://linkedin.salicetti.it/>
>>>
>>> Avviso di riservatezza <http://goo.gl/zS2xL> | Inviami messaggi protetti
>>> <http://goo.gl/LbhIoi>
>>>
>>> 2016-01-17 23:42 GMT+01:00 Matt Simerson :
>>>
>>>> This sounds quite "normal" in my experience.
>>>>
>>>> I started using DMARC for exactly this reason, when one of my domains
>>>> experienced increased spoofing attacks. In the years since, I've witnessed
>>>> this scenario play out in a dozen other domains I manage for my clients. In
>>>> every case, deploying DMARC for their domain with p=reject greatly reduces
>>>> the volume of bounces they receive and the reports reveal the vast majority
>>>> of attacks originating in China and smattering of other IPs from around the
>>>> world. Within weeks after deploying DMARC, the attacks on that domain tail
>>>> off and all but one case I've seen, don't recur.
>>>>
>>>> Matt
>>>>
>>>> PS: My same size is too small to draw conclusions but it seems that
>>>> shorter domain names are more likely to be abused.
>>>>
>>>> On Jan 17, 2016, at 2:08 PM, Denis Salicetti via dmarc-discuss <
>>>> dmarc-discuss@dmarc.org> wrote:
>>>>
>>>> Hi Guys,
>>>> I have implemented DMARC for long with p=none rule with a minimal and
>>>> sporadical Threat/Unknown sources, but recently I had to increase to
>>>> p=quarantene and then to p=reject because I'm having a lot
>>>> of Threat/Unknown sources (25% rate).
>>>> It seems that lately my domain is under serious attack. I'm pretty sure
>>>> I have zero impact of my legit email flow because each configuration is
>>>> good, therefore every Threat/Unknown source is not legit (most of all from
>>>> China).
>>>>
>>>> Someone more experienced of me can tell me if this rate is usual? Is
>>>> there something more that I can do to minimize it?
>>>>
>>>> Thank yo

Re: [dmarc-discuss] I need an advice

2016-01-18 Thread Denis Salicetti via dmarc-discuss
Hi Jacob,
thank you for your right consideration about the increase of the deployment
and implementation of DMARC reporting, because I think for me it will be
useful for a better assessment in future.

In this particular moment though, DMARC reporting for my domain is more o
less the same of always.

Best Regards.

*Denis Salicetti* <http://linkedin.salicetti.it/>

Avviso di riservatezza <http://goo.gl/zS2xL> | Inviami messaggi protetti
<http://goo.gl/LbhIoi>

15251a1f17561224

2016-01-18 16:46 GMT+01:00 Jacob Evans :

Another thing to consider is the increase of the deployment and
> implementation of dmarc reporting, as more SMTP Servers report spf/dkim
> failures, those numbers will also increase in the report aggregation.
>
> My $.02
> ~Jake
>
> Thank You,
>
> Jacob D. Evans
> Cloud Consultant
> 717.417.8324
> <http://twitter.jacobdevans.com> <http://facebook.jacobdevans.com>
> <http://www.jacobdevans.com> <http://linkedin.jacobdevans.com>
> 
>
> ------
> *From: *"Denis Salicetti via dmarc-discuss" 
> *To: *"Matt Simerson" 
> *Cc: *"Denis Salicetti via dmarc-discuss" 
> *Sent: *Monday, January 18, 2016 10:36:58 AM
> *Subject: *Re: [dmarc-discuss] I need an advice
>
> Hi Matt,
> thank you very much for your kind reply.
>
> Best Regards.
>
> *Denis Salicetti* <http://linkedin.salicetti.it/>
>
> Avviso di riservatezza <http://goo.gl/zS2xL> | Inviami messaggi protetti
> <http://goo.gl/LbhIoi>
>
> 2016-01-17 23:42 GMT+01:00 Matt Simerson :
>
>> This sounds quite "normal" in my experience.
>>
>> I started using DMARC for exactly this reason, when one of my domains
>> experienced increased spoofing attacks. In the years since, I've witnessed
>> this scenario play out in a dozen other domains I manage for my clients. In
>> every case, deploying DMARC for their domain with p=reject greatly reduces
>> the volume of bounces they receive and the reports reveal the vast majority
>> of attacks originating in China and smattering of other IPs from around the
>> world. Within weeks after deploying DMARC, the attacks on that domain tail
>> off and all but one case I've seen, don't recur.
>>
>> Matt
>>
>> PS: My same size is too small to draw conclusions but it seems that
>> shorter domain names are more likely to be abused.
>>
>> On Jan 17, 2016, at 2:08 PM, Denis Salicetti via dmarc-discuss <
>> dmarc-discuss@dmarc.org> wrote:
>>
>> Hi Guys,
>> I have implemented DMARC for long with p=none rule with a minimal and
>> sporadical Threat/Unknown sources, but recently I had to increase to
>> p=quarantene and then to p=reject because I'm having a lot
>> of Threat/Unknown sources (25% rate).
>> It seems that lately my domain is under serious attack. I'm pretty sure I
>> have zero impact of my legit email flow because each configuration is good,
>> therefore every Threat/Unknown source is not legit (most of all from China).
>>
>> Someone more experienced of me can tell me if this rate is usual? Is
>> there something more that I can do to minimize it?
>>
>> Thank you very much.
>>
>> *Denis Salicetti* <http://linkedin.salicetti.it/>
>>
>> Avviso di riservatezza <http://goo.gl/zS2xL> | Inviami messaggi protetti
>> <http://goo.gl/LbhIoi>
>> ___
>> dmarc-discuss mailing list
>> dmarc-discuss@dmarc.org
>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>
>> NOTE: Participating in this list means you agree to the DMARC Note Well
>> terms (http://www.dmarc.org/note_well.html)
>>
>>
>>
>
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
>
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] I need an advice

2016-01-18 Thread Denis Salicetti via dmarc-discuss
Hi Matt,
thank you very much for your kind reply.

Best Regards.

*Denis Salicetti* <http://linkedin.salicetti.it/>

Avviso di riservatezza <http://goo.gl/zS2xL> | Inviami messaggi protetti
<http://goo.gl/LbhIoi>

2016-01-17 23:42 GMT+01:00 Matt Simerson :

> This sounds quite "normal" in my experience.
>
> I started using DMARC for exactly this reason, when one of my domains
> experienced increased spoofing attacks. In the years since, I've witnessed
> this scenario play out in a dozen other domains I manage for my clients. In
> every case, deploying DMARC for their domain with p=reject greatly reduces
> the volume of bounces they receive and the reports reveal the vast majority
> of attacks originating in China and smattering of other IPs from around the
> world. Within weeks after deploying DMARC, the attacks on that domain tail
> off and all but one case I've seen, don't recur.
>
> Matt
>
> PS: My same size is too small to draw conclusions but it seems that
> shorter domain names are more likely to be abused.
>
> On Jan 17, 2016, at 2:08 PM, Denis Salicetti via dmarc-discuss <
> dmarc-discuss@dmarc.org> wrote:
>
> Hi Guys,
> I have implemented DMARC for long with p=none rule with a minimal and
> sporadical Threat/Unknown sources, but recently I had to increase to
> p=quarantene and then to p=reject because I'm having a lot
> of Threat/Unknown sources (25% rate).
> It seems that lately my domain is under serious attack. I'm pretty sure I
> have zero impact of my legit email flow because each configuration is good,
> therefore every Threat/Unknown source is not legit (most of all from China).
>
> Someone more experienced of me can tell me if this rate is usual? Is there
> something more that I can do to minimize it?
>
> Thank you very much.
>
> *Denis Salicetti* <http://linkedin.salicetti.it/>
>
> Avviso di riservatezza <http://goo.gl/zS2xL> | Inviami messaggi protetti
> <http://goo.gl/LbhIoi>
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
>
>
>
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

[dmarc-discuss] I need an advice

2016-01-17 Thread Denis Salicetti via dmarc-discuss
Hi Guys,
I have implemented DMARC for long with p=none rule with a minimal and
sporadical Threat/Unknown sources, but recently I had to increase to
p=quarantene and then to p=reject because I'm having a lot
of Threat/Unknown sources (25% rate).
It seems that lately my domain is under serious attack. I'm pretty sure I
have zero impact of my legit email flow because each configuration is good,
therefore every Threat/Unknown source is not legit (most of all from China).

Someone more experienced of me can tell me if this rate is usual? Is there
something more that I can do to minimize it?

Thank you very much.

*Denis Salicetti* 

Avviso di riservatezza  | Inviami messaggi protetti

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Has Google stopped sending DMARC reports?

2014-09-23 Thread Denis Salicetti via dmarc-discuss
I confirm that all of the sudden I received tons of Google reports!!!

Regards.

*Denis Salicetti* 

Avviso di riservatezza | Notice of confidentiality 
Inviami messaggi protetti | Send me protected messages


2014-09-23 16:31 GMT+02:00 Tim Draegen via dmarc-discuss <
dmarc-discuss@dmarc.org>:

> Just to round this out, all Google data now appears to have been sent:
>
>   https://dmarcian.com/dmarc-status/
>
> =- Tim
>
>
> On Sep 21, 2014, at 9:57 PM, Tim Draegen via dmarc-discuss <
> dmarc-discuss@dmarc.org> wrote:
>
> Hullo!  On Friday we (dmarcian.com) put up a "dmarc-status" page after
> discovering a missing day of Google-based data.  On Friday, Google sent us
> a bunch of data to backfill Thursday.  Since then, we haven't received any
> Google data.
>
> Google has been made aware of the issue.  No ETA, but we expect a whole
> lot of data to arrive all at once.
>
>
>
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
>
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Has Google stopped sending DMARC reports?

2014-09-21 Thread Denis Salicetti via dmarc-discuss
Hi Mark,
I think "dmarcian" has something wrong, because I have received two reports
just yesterday from Google, but I didn't see any evidence of those in my
dmarcian account.

Any "dmarcian" guys is listening?

Best Regards.

*Denis Salicetti* 

Avviso di riservatezza | Notice of confidentiality 
Inviami messaggi protetti | Send me protected messages


2014-09-21 18:08 GMT+02:00 Mark Beiley via dmarc-discuss <
dmarc-discuss@dmarc.org>:

> It appears Google hasn't sent out any DMARC reports for the last 3 days.
> See:
>
> https://dmarcian.com/dmarc-status/
>
> Anyone know why?
>
> Thanks,
> Mark
>
>
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
>
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] SPF record for Google does not work with email notification coming from Google Analytic

2014-07-06 Thread Denis Salicetti via dmarc-discuss
An update about this topic.

I found a workaround after a few hours of brain storming. Google Analytics
allows to delegate a profile to other email accounts. So I delegated all my
profiles to a new Gmail account (u...@gmail.com), so now I receive email
notifications from this new address. Guess what? Obviously Google is
spoofing itself and DMARK fails.

At least my email flow is clean. Incredible!!!

Regards.

Denis Salicetti <http://goo.gl/CkF1b>

Avviso di riservatezza | Notice of confidentiality <http://goo.gl/zS2xL>
Inviami messaggi protetti | Send me protected messages
<http://goo.gl/LbhIoi>


2014-07-02 23:24 GMT+02:00 Denis Salicetti :

> As a Google user, it is absolutely inconsistent that Google encourages me
> to use DKIM for my Google Apps Domain for preventing spoofing and then do
> not use it on its own products. In addition, on Google Analytics is not
> possible to change the address of the sender in the notifications. A real
> contradiction! It could at least give an option to use an address *@
> google.com. About that, I opened a ticket to Google Analytics Support,
> but I'm still waiting a reply.
>
> Can I use any workaround? What would you do in my shoes?
>
> Is there any Google guys listening in this list?
>
> Regards.
>
> Denis Salicetti <http://goo.gl/CkF1b>
>
> Avviso di riservatezza | Notice of confidentiality <http://goo.gl/zS2xL>
> Inviami messaggi protetti | Send me protected messages
> <http://goo.gl/LbhIoi>
>
>
> 2014-07-02 17:31 GMT+02:00 Henrik Schack :
>
>  Perhaps, the GA team could simply stop spoofing the users email address,
>> use one of their own instead ? That would be pretty simple to implement
>> BR
>> Henrik
>>
>>
>> On Wed, Jul 2, 2014 at 3:58 PM, Tim Draegen via dmarc-discuss <
>> dmarc-discuss@dmarc.org> wrote:
>>
>>> Hi Denis,
>>>
>>> I don't think there is anything you can do to get the email coming out
>>> of Google Analytics to be DKIM signed.  Others have run into this issue and
>>> are trying to get Google to fix this on their end.
>>>
>>> Since you're signing your domain with Google App's DKIM infrastructure,
>>> this signing should be extended to Google Analytics.  Again, nothing to do
>>> but ask Google to fix!
>>>
>>> Hope This Helps,
>>> =- Tim
>>>
>>> PS. I run dmarcian.com, so feel free to email any direct questions to
>>> t...@dmarcian.com
>>>
>>> On Jun 25, 2014, at 10:33 AM, Denis Salicetti via dmarc-discuss <
>>> dmarc-discuss@dmarc.org> wrote:
>>>
>>> Hi guys,
>>> I need a little help about SPF configuration.
>>>
>>> According with Google Support for improving my email flow, I've
>>> correctly set up on my DNS server:
>>>
>>> a record SPF "v=spf1 include:servers.mcsv.net include:_spf.google.com
>>>  ~all"
>>> a record DKIM with my key, generated using Google Apps Dashboard
>>> a record DMARC "v=DMARC1; p=none; rua=mailto:dm...@salicetti.it;
>>> ruf=mailto:dm...@salicetti.it; rf=afrf; pct=100;
>>>
>>> When I receive the daily DMARC report, each email notification coming
>>> from Google Analytics are considered as a "Threat/Unknown", because I
>>> suppose that IPs sender are not included in _spf.google.com.
>>> Please can you guys Take a look at the attached PDF file, XML file and
>>> corresponding report
>>> <https://drive.google.com/uc?export=download&id=0BxYxoJ9Ia_IiN1p3NXI3UGxSSVE>.
>>> Unfortunately IP address changes each time. I've been wondering if there is
>>> a unique referral to englobe each of them.
>>>
>>> Am I doing something wrong?
>>>
>>> Thank you very much for your help.
>>>
>>> Regards.
>>>
>>> Denis Salicetti <http://goo.gl/CkF1b>
>>>
>>> Avviso di riservatezza | Notice of confidentiality <http://goo.gl/zS2xL>
>>> Inviami messaggi protetti | Send me protected messages
>>> <http://goo.gl/LbhIoi>
>>>  ___
>>> dmarc-discuss mailing list
>>> dmarc-discuss@dmarc.org
>>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>>
>>> NOTE: Participating in this list means you agree to the DMARC Note Well
>>> terms (http://www.dmarc.org/note_well.html)
>>>
>>>
>>>   --
>>> Tim Draegen  |  Principal   |   Eudaemonic Development, LLC
>>> t...@eudev.net   |   tdraegen@{aim,gmail,skype,yahoo}   |   Mobile: (831)
>>> 227-8002
>>>
>>>
>>> ___
>>> dmarc-discuss mailing list
>>> dmarc-discuss@dmarc.org
>>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>>
>>> NOTE: Participating in this list means you agree to the DMARC Note Well
>>> terms (http://www.dmarc.org/note_well.html)
>>>
>>
>>
>>
>> --
>> Mvh/Best regards
>> Henrik Schack
>> ICQ: 889295
>> http://henrik.schack.dk/
>> http://links.schack.dk/
>>
>
>
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] SPF record for Google does not work with email notification coming from Google Analytic

2014-07-02 Thread Denis Salicetti via dmarc-discuss
As a Google user, it is absolutely inconsistent that Google encourages me
to use DKIM for my Google Apps Domain for preventing spoofing and then do
not use it on its own products. In addition, on Google Analytics is not
possible to change the address of the sender in the notifications. A real
contradiction! It could at least give an option to use an address *@
google.com. About that, I opened a ticket to Google Analytics Support, but
I'm still waiting a reply.

Can I use any workaround? What would you do in my shoes?

Is there any Google guys listening in this list?

Regards.

Denis Salicetti <http://goo.gl/CkF1b>

Avviso di riservatezza | Notice of confidentiality <http://goo.gl/zS2xL>
Inviami messaggi protetti | Send me protected messages
<http://goo.gl/LbhIoi>


2014-07-02 17:31 GMT+02:00 Henrik Schack :

> Perhaps, the GA team could simply stop spoofing the users email address,
> use one of their own instead ? That would be pretty simple to implement
> BR
> Henrik
>
>
> On Wed, Jul 2, 2014 at 3:58 PM, Tim Draegen via dmarc-discuss <
> dmarc-discuss@dmarc.org> wrote:
>
>> Hi Denis,
>>
>> I don't think there is anything you can do to get the email coming out of
>> Google Analytics to be DKIM signed.  Others have run into this issue and
>> are trying to get Google to fix this on their end.
>>
>> Since you're signing your domain with Google App's DKIM infrastructure,
>> this signing should be extended to Google Analytics.  Again, nothing to do
>> but ask Google to fix!
>>
>> Hope This Helps,
>> =- Tim
>>
>> PS. I run dmarcian.com, so feel free to email any direct questions to
>> t...@dmarcian.com
>>
>> On Jun 25, 2014, at 10:33 AM, Denis Salicetti via dmarc-discuss <
>> dmarc-discuss@dmarc.org> wrote:
>>
>> Hi guys,
>> I need a little help about SPF configuration.
>>
>> According with Google Support for improving my email flow, I've correctly
>> set up on my DNS server:
>>
>> a record SPF "v=spf1 include:servers.mcsv.net include:_spf.google.com
>>  ~all"
>> a record DKIM with my key, generated using Google Apps Dashboard
>> a record DMARC "v=DMARC1; p=none; rua=mailto:dm...@salicetti.it;
>> ruf=mailto:dm...@salicetti.it; rf=afrf; pct=100;
>>
>> When I receive the daily DMARC report, each email notification coming
>> from Google Analytics are considered as a "Threat/Unknown", because I
>> suppose that IPs sender are not included in _spf.google.com.
>> Please can you guys Take a look at the attached PDF file, XML file and
>> corresponding report
>> <https://drive.google.com/uc?export=download&id=0BxYxoJ9Ia_IiN1p3NXI3UGxSSVE>.
>> Unfortunately IP address changes each time. I've been wondering if there is
>> a unique referral to englobe each of them.
>>
>> Am I doing something wrong?
>>
>> Thank you very much for your help.
>>
>> Regards.
>>
>> Denis Salicetti <http://goo.gl/CkF1b>
>>
>> Avviso di riservatezza | Notice of confidentiality <http://goo.gl/zS2xL>
>> Inviami messaggi protetti | Send me protected messages
>> <http://goo.gl/LbhIoi>
>>  ___
>> dmarc-discuss mailing list
>> dmarc-discuss@dmarc.org
>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>
>> NOTE: Participating in this list means you agree to the DMARC Note Well
>> terms (http://www.dmarc.org/note_well.html)
>>
>>
>>   --
>> Tim Draegen  |  Principal   |   Eudaemonic Development, LLC
>> t...@eudev.net   |   tdraegen@{aim,gmail,skype,yahoo}   |   Mobile: (831)
>> 227-8002
>>
>>
>> ___
>> dmarc-discuss mailing list
>> dmarc-discuss@dmarc.org
>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>
>> NOTE: Participating in this list means you agree to the DMARC Note Well
>> terms (http://www.dmarc.org/note_well.html)
>>
>
>
>
> --
> Mvh/Best regards
> Henrik Schack
> ICQ: 889295
> http://henrik.schack.dk/
> http://links.schack.dk/
>
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

[dmarc-discuss] SPF record for Google does not work with email notification coming from Google Analytic

2014-06-25 Thread Denis Salicetti via dmarc-discuss
Hi guys,
I need a little help about SPF configuration.

According with Google Support for improving my email flow, I've correctly
set up on my DNS server:

a record SPF "v=spf1 include:servers.mcsv.net include:_spf.google.com ~all"
a record DKIM with my key, generated using Google Apps Dashboard
a record DMARC "v=DMARC1; p=none; rua=mailto:dm...@salicetti.it; ruf=mailto:
dm...@salicetti.it; rf=afrf; pct=100;

When I receive the daily DMARC report, each email notification coming from
Google Analytics are considered as a "Threat/Unknown", because I suppose
that IPs sender are not included in _spf.google.com.
Please can you guys Take a look at the attached PDF file, XML file and
corresponding report
.
Unfortunately IP address changes each time. I've been wondering if there is
a unique referral to englobe each of them.

Am I doing something wrong?

Thank you very much for your help.

Regards.

Denis Salicetti 

Avviso di riservatezza | Notice of confidentiality 
Inviami messaggi protetti | Send me protected messages

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)