Re: [dmarc-discuss] dmarc and delegated zones

2015-02-18 Thread Jacob Evans via dmarc-discuss 
Eric,
What I would recommend is treating each subdomain to function independent of 
the parent, if you have all the pertinent records it will not fall back to the 
parent domain.

Using internal IPs for examples, assuming bind syntax.

example.com. IN  SOA ns1.example.com. dnsadmins.example.com. (
2015021800  ; Serial
10800
3600
604800
900 )
@   IN  NS  ns1
@   IN  NS  ns2
@   IN  NS  ns3
@   IN  NS  ns4
ns1 IN  A   192.168.0.11
ns2 IN  A   192.168.0.12
ns3 IN  A   192.168.0.13
ns4 IN  A   192.168.0.14

;Servers
@ IN A 192.168.1.10 ;website
www IN CNAME @ ;website
mail IN A 192.168.1.11; mail server
mx IN A 192.168.1.12; mailfilter

;Email Authorization
@ IN  TXT  v=spf1 ip4:192.168.1.0/24 -all
_domainkey IN TXT  v=DKIM1; k=rsa;  p=MIGfMA0GCS
_dmarc IN TXT v=DMARC1; p=none;rua=mailto:task_...@example.com; fo=0; adkim=r; 
aspf=r;sp=none

;Permit Dmarc Reports form another domain
task.example.com._report._dmarcIN TXT v=DMARC1

$ORIGIN task. example.com.
@ IN A 192.168.2.10 ;website
www IN CNAME @ ;website
mail IN A 192.168.2.11; mail server
mx IN A 192.168.2.12; mailfilter
taskserver IN A 10.1.10.100 ;special app
taskserver IN  fd10::1 ;special app dual stack

;Email Authorization
@ IN  TXT  v=spf1 ip4:192.168.2.0/24 ip4:10.1.10.100 ip6:fd10::1 
include:example.com -all
_domainkey IN TXT  v=DKIM1; k=rsa;  p=MIGADKDh12S
taskapp. _domainkey IN TXT  v=DKIM1; k=rsa;  p=MZASDDh12S
_dmarc IN TXT v=DMARC1; p=none;rua=mailto:task_...@example.com; fo=0; adkim=r; 
aspf=r;sp=none

Does this help? (or hurt)

Thanks,
Jake


-Original Message-
From: dmarc-discuss [mailto:dmarc-discuss-boun...@dmarc.org] On Behalf Of John 
Levine via dmarc-discuss
Sent: Tuesday, February 17, 2015 8:30 PM
To: dmarc-discuss@dmarc.org
Subject: Re: [dmarc-discuss] dmarc and delegated zones

If I understand you correctly, even though zones don't matter to how I
create the records, the zones could be a useful tool for me delegating
management of the records. If I have one set of records for example.com
in one organization and another set of exhibit records in New
Jersey.example.com managed by my organization then I can manage the
records independent of the parent organization.

If that's the way your name servers are set up, sure.  There's no general 
answer about what's easier since it depends on how your DNS provisioning is set 
up.

Are there any collisions between the DMARC records configuritions in
the parent domain versus a subdomain that I need to worry about?

There shouldn't be.  The point of using the _dmarc prefix name is that it 
shouldn't conflict with anything else.

my interpretation of what I've read leads me to believe I'm better off
keeping all of the header addresses in the same domain and using a
reply-to to direct responses to a real human instead of trying to make
the from: address the humans address.

Again, it depends on how your system is set up.  Assuming you control the 
inbound MTAs for your domain, you should be able to route the incoming replies 
to the From: addresses wherever you need to.

R's,
John
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)



This message contains information that may be confidential and privileged. 
Unless you are the addressee (or authorized to receive for the addressee), you 
may not use, copy, print or disclose to anyone the message or any information 
contained in the message. If you have received this e-mail in error, please 
advise the sender by reply and delete the message. Thank you.


___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] dmarc and delegated zones

2015-02-17 Thread John Levine via dmarc-discuss 
If I understand you correctly, even though zones don't matter to how I 
create the records, the zones could be a useful tool for me delegating 
management of the records. If I have one set of records for example.com 
in one organization and another set of exhibit records in New 
Jersey.example.com managed by my organization then I can manage the 
records independent of the parent organization.

If that's the way your name servers are set up, sure.  There's no
general answer about what's easier since it depends on how your DNS
provisioning is set up.

Are there any collisions between the DMARC records configuritions in the 
parent domain versus a subdomain that I need to worry about?

There shouldn't be.  The point of using the _dmarc prefix name is that it
shouldn't conflict with anything else.

my interpretation of what I've read leads me to believe I'm better off 
keeping all of the header addresses in the same domain and using a 
reply-to to direct responses to a real human instead of trying to make 
the from: address the humans address.

Again, it depends on how your system is set up.  Assuming you control
the inbound MTAs for your domain, you should be able to route the incoming
replies to the From: addresses wherever you need to.

R's,
John
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] dmarc and delegated zones

2015-02-17 Thread Eric S Johansson via dmarc-discuss 


On 2/17/2015 1:53 AM, John Levine wrote:

Can a delegated zone have its own DKIM, SPF and DMARC records?

There's no way to answer this question, because DKIM, SPF, and DMARC
have no relationship whatsoever to zone delegations.  They're defined in terms 
of domain names, and zone cuts don't matter.


thank you for the explanation. It explains why I didn't see any 
description of with zones and DKIM in the documentation.




You can put DKIM, SPF, and DMARC records at any domain name.  SPF
looks up whatever domain name is in the envelope bounce address, DKIM
looks up whatever domain name is in the d= field of the DKIM signature,
and DMARC usually looks up the domain in the From: address.

The only exception is there is a hack in DMARC such that if the lookup for the DMARC 
record doesn't find anything, it can look for an organizational domain name, 
typically using the Mozilla Public
Suffix List.  For example, if the From: address were
sa...@newjersey.example.com and there were no DMARC record at
_dmarc.newjersey.example.com, it could also look for
_dmarc.example.com.  The organizational domain is chosen by counting
dots in the name, not by looking at zone cuts.


I need to go back and re-read the documentation/standard because that 
did not come across in my reading.


If I understand you correctly, even though zones don't matter to how I 
create the records, the zones could be a useful tool for me delegating 
management of the records. If I have one set of records for example.com 
in one organization and another set of exhibit records in New 
Jersey.example.com managed by my organization then I can manage the 
records independent of the parent organization.


Are there any collisions between the DMARC records configuritions in the 
parent domain versus a subdomain that I need to worry about?


my interpretation of what I've read leads me to believe I'm better off 
keeping all of the header addresses in the same domain and using a 
reply-to to direct responses to a real human instead of trying to make 
the from: address the humans address.

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

[dmarc-discuss] dmarc and delegated zones

2015-02-16 Thread Eric S Johansson via dmarc-discuss 
I'm trying to figure out how to handle DMARC for two different 
customers. If this is already documented somewhere, please  point me to 
the documentation because I don't think I've seen so far.


Customer 1 is sending work notices to employees in the field. Customer 2 
is sending automated messages from  different types of monitoring tools 
through a single relay server[1] which will adjust the message headers 
and sign the message.


In both cases, we want to handle email from the servers separate from 
the servers in the parent zone. The parent zones already has DKIM, SPF, 
and DKIM record set up for a different set of servers (corporate and 
third party marketing).


Can a delegated zone have its own DKIM, SPF and DMARC records? Do I need 
to make the from email address be an address within the zone or can it 
be an email address  from the parent zone?


For example, let's say the parent domain is example.com and the zone is 
task.example.com.


Can I set up the dmarc info for the zone something like:

 _dmarc.taskTXT  v=DMARC1; p=none;rua=mailto:task_...@example.com; 
fo=0; adkim=r; aspf=r;sp=none


I'm assuming the lack of a '.' after the domain name would  do the usual 
thing of adding on the parent zone's name.I suspect that the dkim 
and spf zone specific records would look something like:


task._domainkeyINTXT v=DKIM1; k=rsa;  p=MIGfMA0GCS
@TXTv=spf1 a:task.example.com -all

For email headers, I'm assuming that everything would need to be 
@task.example.com with a reply-to: x...@example.com.


how far off base am I?

thanks for guidance.
--- eric

[1] no, it's not an  open relay. Addresses are white listed and a 
limited number of destinations are permitted. Someday I'll get my client 
to move to full signing everywhere and filtering on the signature.

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] dmarc and delegated zones

2015-02-16 Thread John Levine via dmarc-discuss 
Can a delegated zone have its own DKIM, SPF and DMARC records?

There's no way to answer this question, because DKIM, SPF, and DMARC
have no relationship whatsoever to zone delegations.  They're defined
in terms of domain names, and zone cuts don't matter.

You can put DKIM, SPF, and DMARC records at any domain name.  SPF
looks up whatever domain name is in the envelope bounce address, DKIM
looks up whatever domain name is in the d= field of the DKIM signature,
and DMARC usually looks up the domain in the From: address.

The only exception is there is a hack in DMARC such that if the lookup
for the DMARC record doesn't find anything, it can look for an
organizational domain name, typically using the Mozilla Public
Suffix List.  For example, if the From: address were
sa...@newjersey.example.com and there were no DMARC record at
_dmarc.newjersey.example.com, it could also look for
_dmarc.example.com.  The organizational domain is chosen by counting
dots in the name, not by looking at zone cuts.

R's,
John

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)