Re: [dmarc-discuss] dmarc and delegated zones
Eric, What I would recommend is treating each subdomain to function independent of the parent, if you have all the pertinent records it will not fall back to the parent domain. Using internal IPs for examples, assuming bind syntax. example.com. IN SOA ns1.example.com. dnsadmins.example.com. ( 2015021800 ; Serial 10800 3600 604800 900 ) @ IN NS ns1 @ IN NS ns2 @ IN NS ns3 @ IN NS ns4 ns1 IN A 192.168.0.11 ns2 IN A 192.168.0.12 ns3 IN A 192.168.0.13 ns4 IN A 192.168.0.14 ;Servers @ IN A 192.168.1.10 ;website www IN CNAME @ ;website mail IN A 192.168.1.11; mail server mx IN A 192.168.1.12; mailfilter ;Email Authorization @ IN TXT v=spf1 ip4:192.168.1.0/24 -all _domainkey IN TXT v=DKIM1; k=rsa; p=MIGfMA0GCS _dmarc IN TXT v=DMARC1; p=none;rua=mailto:task_...@example.com; fo=0; adkim=r; aspf=r;sp=none ;Permit Dmarc Reports form another domain task.example.com._report._dmarcIN TXT v=DMARC1 $ORIGIN task. example.com. @ IN A 192.168.2.10 ;website www IN CNAME @ ;website mail IN A 192.168.2.11; mail server mx IN A 192.168.2.12; mailfilter taskserver IN A 10.1.10.100 ;special app taskserver IN fd10::1 ;special app dual stack ;Email Authorization @ IN TXT v=spf1 ip4:192.168.2.0/24 ip4:10.1.10.100 ip6:fd10::1 include:example.com -all _domainkey IN TXT v=DKIM1; k=rsa; p=MIGADKDh12S taskapp. _domainkey IN TXT v=DKIM1; k=rsa; p=MZASDDh12S _dmarc IN TXT v=DMARC1; p=none;rua=mailto:task_...@example.com; fo=0; adkim=r; aspf=r;sp=none Does this help? (or hurt) Thanks, Jake -Original Message- From: dmarc-discuss [mailto:dmarc-discuss-boun...@dmarc.org] On Behalf Of John Levine via dmarc-discuss Sent: Tuesday, February 17, 2015 8:30 PM To: dmarc-discuss@dmarc.org Subject: Re: [dmarc-discuss] dmarc and delegated zones If I understand you correctly, even though zones don't matter to how I create the records, the zones could be a useful tool for me delegating management of the records. If I have one set of records for example.com in one organization and another set of exhibit records in New Jersey.example.com managed by my organization then I can manage the records independent of the parent organization. If that's the way your name servers are set up, sure. There's no general answer about what's easier since it depends on how your DNS provisioning is set up. Are there any collisions between the DMARC records configuritions in the parent domain versus a subdomain that I need to worry about? There shouldn't be. The point of using the _dmarc prefix name is that it shouldn't conflict with anything else. my interpretation of what I've read leads me to believe I'm better off keeping all of the header addresses in the same domain and using a reply-to to direct responses to a real human instead of trying to make the from: address the humans address. Again, it depends on how your system is set up. Assuming you control the inbound MTAs for your domain, you should be able to route the incoming replies to the From: addresses wherever you need to. R's, John ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html) This message contains information that may be confidential and privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not use, copy, print or disclose to anyone the message or any information contained in the message. If you have received this e-mail in error, please advise the sender by reply and delete the message. Thank you. ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] dmarc and delegated zones
If I understand you correctly, even though zones don't matter to how I create the records, the zones could be a useful tool for me delegating management of the records. If I have one set of records for example.com in one organization and another set of exhibit records in New Jersey.example.com managed by my organization then I can manage the records independent of the parent organization. If that's the way your name servers are set up, sure. There's no general answer about what's easier since it depends on how your DNS provisioning is set up. Are there any collisions between the DMARC records configuritions in the parent domain versus a subdomain that I need to worry about? There shouldn't be. The point of using the _dmarc prefix name is that it shouldn't conflict with anything else. my interpretation of what I've read leads me to believe I'm better off keeping all of the header addresses in the same domain and using a reply-to to direct responses to a real human instead of trying to make the from: address the humans address. Again, it depends on how your system is set up. Assuming you control the inbound MTAs for your domain, you should be able to route the incoming replies to the From: addresses wherever you need to. R's, John ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] dmarc and delegated zones
On 2/17/2015 1:53 AM, John Levine wrote: Can a delegated zone have its own DKIM, SPF and DMARC records? There's no way to answer this question, because DKIM, SPF, and DMARC have no relationship whatsoever to zone delegations. They're defined in terms of domain names, and zone cuts don't matter. thank you for the explanation. It explains why I didn't see any description of with zones and DKIM in the documentation. You can put DKIM, SPF, and DMARC records at any domain name. SPF looks up whatever domain name is in the envelope bounce address, DKIM looks up whatever domain name is in the d= field of the DKIM signature, and DMARC usually looks up the domain in the From: address. The only exception is there is a hack in DMARC such that if the lookup for the DMARC record doesn't find anything, it can look for an organizational domain name, typically using the Mozilla Public Suffix List. For example, if the From: address were sa...@newjersey.example.com and there were no DMARC record at _dmarc.newjersey.example.com, it could also look for _dmarc.example.com. The organizational domain is chosen by counting dots in the name, not by looking at zone cuts. I need to go back and re-read the documentation/standard because that did not come across in my reading. If I understand you correctly, even though zones don't matter to how I create the records, the zones could be a useful tool for me delegating management of the records. If I have one set of records for example.com in one organization and another set of exhibit records in New Jersey.example.com managed by my organization then I can manage the records independent of the parent organization. Are there any collisions between the DMARC records configuritions in the parent domain versus a subdomain that I need to worry about? my interpretation of what I've read leads me to believe I'm better off keeping all of the header addresses in the same domain and using a reply-to to direct responses to a real human instead of trying to make the from: address the humans address. ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
[dmarc-discuss] dmarc and delegated zones
I'm trying to figure out how to handle DMARC for two different customers. If this is already documented somewhere, please point me to the documentation because I don't think I've seen so far. Customer 1 is sending work notices to employees in the field. Customer 2 is sending automated messages from different types of monitoring tools through a single relay server[1] which will adjust the message headers and sign the message. In both cases, we want to handle email from the servers separate from the servers in the parent zone. The parent zones already has DKIM, SPF, and DKIM record set up for a different set of servers (corporate and third party marketing). Can a delegated zone have its own DKIM, SPF and DMARC records? Do I need to make the from email address be an address within the zone or can it be an email address from the parent zone? For example, let's say the parent domain is example.com and the zone is task.example.com. Can I set up the dmarc info for the zone something like: _dmarc.taskTXT v=DMARC1; p=none;rua=mailto:task_...@example.com; fo=0; adkim=r; aspf=r;sp=none I'm assuming the lack of a '.' after the domain name would do the usual thing of adding on the parent zone's name.I suspect that the dkim and spf zone specific records would look something like: task._domainkeyINTXT v=DKIM1; k=rsa; p=MIGfMA0GCS @TXTv=spf1 a:task.example.com -all For email headers, I'm assuming that everything would need to be @task.example.com with a reply-to: x...@example.com. how far off base am I? thanks for guidance. --- eric [1] no, it's not an open relay. Addresses are white listed and a limited number of destinations are permitted. Someday I'll get my client to move to full signing everywhere and filtering on the signature. ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] dmarc and delegated zones
Can a delegated zone have its own DKIM, SPF and DMARC records? There's no way to answer this question, because DKIM, SPF, and DMARC have no relationship whatsoever to zone delegations. They're defined in terms of domain names, and zone cuts don't matter. You can put DKIM, SPF, and DMARC records at any domain name. SPF looks up whatever domain name is in the envelope bounce address, DKIM looks up whatever domain name is in the d= field of the DKIM signature, and DMARC usually looks up the domain in the From: address. The only exception is there is a hack in DMARC such that if the lookup for the DMARC record doesn't find anything, it can look for an organizational domain name, typically using the Mozilla Public Suffix List. For example, if the From: address were sa...@newjersey.example.com and there were no DMARC record at _dmarc.newjersey.example.com, it could also look for _dmarc.example.com. The organizational domain is chosen by counting dots in the name, not by looking at zone cuts. R's, John ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)