Re: [dmarc-discuss] Fwd: Hotmail forwarding

2017-03-31 Thread Roland Turner via dmarc-discuss 
I meant to add: it would be sensible to create a hotmail.com account 
yourself and test the simple case of a freshly-created account. This 
won't tell you everything, but it will tell you whether your setup is 
broken even for simple Microsoft cases.


- Roland



On 31/03/17 16:13, Roland Turner wrote:

Ah yes, idiot taste tasting :-)

I can't pick it on this one; it's spent an astonishing number of hops 
inside Microsoft. I'd hazard a guess that there's some user-specified 
forwarding going on, perhaps between a free account and a corporate 
account, or vice versa, which is leading to breakage. This would 
explain reassessing SPF when the message was forwarded from one 
Microsoft address (40.92.65.94) to another. It doesn't otherwise make 
much sense, but configurations take time to optimise in large 
environments of course.


I do note two gems:

  * Test mode DKIM: "dkim=fail (*testing mode*; identity alignment
result is pass and alignment mode is relaxed)
header.d=groups.ilovefreegle.org" and in the DNS
"x._domainkey.groups.ilovefreegle.org. 3599 IN TXT "v=DKIM1;
*t=y*; k=rsa; p=MHwwDQYJKoZ...". I'd be getting rid of t=y.
  * Short DKIM key: "dkim=ignore (*ignored public key size*)
header.d=groups.ilovefreegle.org;hotmail.com". You're using a 1024
bit key, Microsoft is using a 2048 bit key. I've stopped paying
close attention, but perhaps they've decided that 1024 bits
doesn't cut it. I'd consider switching to 2048 bit.

- Roland



On 31/03/17 15:35, Edward Hibbert via dmarc-discuss wrote:
On Mon, Mar 27, 2017 at 7:20 PM, Steve Atkins 
> wrote:



> On Mar 27, 2017, at 11:19 AM, Edward Hibbert
> wrote:
>
>
>
> -- Original Message --
> From: "Steve Atkins via dmarc-discuss" >
> To: "dmarc-discuss" >
> Sent: 27/03/2017 18:53:59
> Subject: Re: [dmarc-discuss] Hotmail forwarding
>
>>
>> You're DKIM signing a message with a selector/d= pair for
which there's no public key published in DNS. That seems like a
mistake, and means your mail isn't DKIM signed.
>>
>> If SPF fails due to forwarding (which it usually will, that's
what SPF does) and your mail isn't DKIM signed, that'll trigger
DMARC action.
> I think you're right, and I'm an idiot who can't use the
interface to my DNS.  I'll put the DNS record in correctly.

:)

There's an online checker at
http://tools.wordtothewise.com/authentication
 if you want to
check that it's published correctly once you're done.


Well, I corrected it yesterday, and checked it using 
http://dkimvalidator.com/  , but I'm still 
getting NDRs (example below).  I would be grateful for any indication 
of what flavour of idiot I am currently being.


Edward



Delivered-To: edw...@ehibbert.org.uk 
Received: by 10.129.159.149 with SMTP id w143csp1699298ywg; Tue, 28 
Mar 2017

 05:16:54 -0700 (PDT)
X-Received: by 10.129.154.201 with SMTP id
 r192mr22023444ywg.324.1490703414422; Tue, 28 Mar 2017 05:16:54 -0700 
(PDT)
Return-Path: 
>
Received: from mail-yw0-x247.google.com 
 (mail-yw0-x247.google.com 
.
 [2607:f8b0:4002:c05::247]) by mx.google.com  
with ESMTPS id
 d72si1304661ywh.114.2017.03.28.05.16.53 for >
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); 
Tue, 28 Mar

 2017 05:16:53 -0700 (PDT)
Received-SPF: pass (google.com : domain of
dist-list-geeks+bncbd4pj45lrqhrbnni5hdakgqebbss...@ilovefreegle.org 


 designates 2607:f8b0:4002:c05::247 as permitted sender)
 client-ip=2607:f8b0:4002:c05::247;
Authentication-Results: mx.google.com ; dkim=pass
 header.i=@ilovefreegle-org.20150623.gappssmtp.com 
; spf=pass 
(google.com :
 domain of 
dist-list-geeks+bncbd4pj45lrqhrbnni5hdakgqebbss...@ilovefreegle.org 


 designates 2607:f8b0:4002:c05::247 as permitted sender)
 smtp.mailfrom=dist-list-geeks+bncbd4pj45lrqhrbnni5hdakgqebbss...@ilovefreegle.org

[dmarc-discuss] Fwd: Hotmail forwarding

2017-03-31 Thread Edward Hibbert via dmarc-discuss 
On Mon, Mar 27, 2017 at 7:20 PM, Steve Atkins 
wrote:

>
> > On Mar 27, 2017, at 11:19 AM, Edward Hibbert 
> wrote:
> >
> >
> >
> > -- Original Message --
> > From: "Steve Atkins via dmarc-discuss" 
> > To: "dmarc-discuss" 
> > Sent: 27/03/2017 18:53:59
> > Subject: Re: [dmarc-discuss] Hotmail forwarding
> >
> >>
> >> You're DKIM signing a message with a selector/d= pair for which there's
> no public key published in DNS. That seems like a mistake, and means your
> mail isn't DKIM signed.
> >>
> >> If SPF fails due to forwarding (which it usually will, that's what SPF
> does) and your mail isn't DKIM signed, that'll trigger DMARC action.
> > I think you're right, and I'm an idiot who can't use the interface to my
> DNS.  I'll put the DNS record in correctly.
>
> :)
>
> There's an online checker at http://tools.wordtothewise.com/authentication
> if you want to check that it's published correctly once you're done.
>

Well, I corrected it yesterday, and checked it using http://dkimvalidator.
com/ , but I'm still getting NDRs (example below).  I would be grateful for
any indication of what flavour of idiot I am currently being.

Edward



Delivered-To: edw...@ehibbert.org.uk
Received: by 10.129.159.149 with SMTP id w143csp1699298ywg; Tue, 28 Mar 2017
 05:16:54 -0700 (PDT)
X-Received: by 10.129.154.201 with SMTP id
 r192mr22023444ywg.324.1490703414422; Tue, 28 Mar 2017 05:16:54 -0700 (PDT)
Return-Path: 
Received: from mail-yw0-x247.google.com (mail-yw0-x247.google.com.
 [2607:f8b0:4002:c05::247]) by mx.google.com with ESMTPS id
 d72si1304661ywh.114.2017.03.28.05.16.53 for 
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 28
Mar
 2017 05:16:53 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 dist-list-geeks+bncbd4pj45lrqhrbnni5hdakgqebbss...@ilovefreegle.org
 designates 2607:f8b0:4002:c05::247 as permitted sender)
 client-ip=2607:f8b0:4002:c05::247;
Authentication-Results: mx.google.com; dkim=pass
 header.i=@ilovefreegle-org.20150623.gappssmtp.com; spf=pass (google.com:
 domain of dist-list-geeks+bncbd4pj45lrqhrbnni5hdakgqebbs
s...@ilovefreegle.org
 designates 2607:f8b0:4002:c05::247 as permitted sender)
 smtp.mailfrom=dist-list-geeks+bncBD4PJ45LRQHRBNNI5HDAKGQEBBS
s...@ilovefreegle.org;
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hotmail.com
Received: by mail-yw0-x247.google.com with SMTP id c66sf89300701ywd.23 for
 ; Tue, 28 Mar 2017 05:16:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=ilovefreegle-org.20150623.gappssmtp.com; s=20150623;
 h=delivered-to:date:from:subject:to:mime-version:message-id
 :x-original-sender:x-original-authentication-results:precedence
 :mailing-list:list-id:x-spam-checked-in-group:list-help;
 bh=0B5woYJe+/XDYBYI+9CP9aIjBjkb3ItOET585wIN4EE=;
 b=guive/L13ylfpHgIuBURAN7f3bh8ExCrqTF0r3fyI5lzYIBlV6WNHvuWhVpzKBx6BJ
 u8I2c1VNTsVEt76bKpSsz+Wh8nXHQpJrAgtJyHnmujXOZKwSlawSlA7gn9M77zB0MIRh
 7U1yrO6zej0kAFIYgtS0bu8mXesVts8eJkLa4AGJFTw/Ez3F7UP0fzDFT5NzO0EBfekr
 xVa+tsI1/cdNAbA/HCm36l6YOP8tq44TBO6jAZr5XfbZ+ozO1cqGphkwXMzi4YG0p9H5
 1oQvqkr2Eojfpta8Zb1HWGNCbPvj7rvNdjykjAmbr/LkZwIYrCFnr3nKj95IOxcm7AXo Y0MA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net;
 s=20161025;
 h=x-gm-message-state:delivered-to:date:from:subject:to:mime-version
 :message-id:x-original-sender:x-original-authentication-results
 :precedence:mailing-list:list-id:x-spam-checked-in-group:list-help;
 bh=0B5woYJe+/XDYBYI+9CP9aIjBjkb3ItOET585wIN4EE=;
 b=eAF84YicfkMW0Nh6gijn6k387iLRPxkIsMHbOopND+/13PFlJnJcP1XSUFPZvMNEBy
 Nvz89+m0nW3sGEwuAEm3NZ25Fa3KeCa/isAa1B2abz3GhHlVDJKnEkv/X07j6eOhjslk
 N4T0D6CXKaZ9AxFVB+iipVBzSdsh3vZR8BHoXQYL6xT5qmURALNo2lK6Vntqr5Iu2xZ8
 9XaFby58FZILif4kSVMn2s/qy/2535TJCYGanjwxwz98WXs53XyPoj1PR5+iIqUNOnTS
 6CBGK5+OhZWOlRk9T2dHoHwLkrP0rbsQJRPahdSTK9VnCkwgk/riSINLlZ6Z2ZRaijgn DJaA==
X-Gm-Message-State: AFeK/H0/J/90Kp6miLhLdQE6qEOp1roh8dkMsLJ1AAV2vUoOb/
h5R9kdIQKV8gjw0LFp7A==
X-Received: by 10.13.196.196 with SMTP id g187mr9524542ywd.79.1490703413255;
 Tue, 28 Mar 2017 05:16:53 -0700 (PDT)
X-BeenThere: dist-list-ge...@ilovefreegle.org
Received: by 10.157.0.36 with SMTP id 33ls11949420ota.46.gmail; Tue, 28 Mar
 2017 05:16:53 -0700 (PDT)
X-Received: by 10.55.162.203 with SMTP id l194mr23039843qke.221.
1490703412635;
 Tue, 28 Mar 2017 05:16:52 -0700 (PDT)
Received: from mail-qt0-f171.google.com (mail-qt0-f171.google.com.
 [209.85.216.171]) by mx.google.com with ESMTPS id
 p132si3288347qka.200.2017.03.28.05.16.52 for
  (version=TLS1_2
 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 28 Mar 2017 05:16:52
 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 geeks+caf_=dist-list-geeks=ilovefreegle@ilovefreegle.org designates
 209.85.216.171 as permitted sender)