Re: [dmarc-discuss] DMARC is not disabled automatically at Office 365 when the MX is different
On 10/3/20 02:15, Ivan Kovachev via dmarc-discuss wrote: How can DMARC validation be turned off or disabled at Office 365 for the above scenario? Hopefully it is obvious that that is a question for Microsoft support, rather than for dmarc-discuss? On your broader question: it is not normal for a service provider that provides MX service to decide to automatically disable protections merely on the basis that the relevant MX record in its DNS cache points somewhere else. Instead, an explicit configuration of something like a trusted relay is usually required. Given Microsoft's customer base, it would not be surprising if 365 had such a feature. (ARC might also help if (a) Barracuda were willing to seal, and (b) Microsoft were willing to trust Barracuda's authentication and sealing process, but these are longer-term approaches.) - Roland ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] DMARC is not disabled automatically at Office 365 when the MX is different
In article you write: >Dumb question time. In that scenario, if mail is forwarded with the >DKIM signature intact, would that be good enough to still pass DMARC? >Or will it fail because SPF now fails? Assuming no gratuitous changes to the message, yes. But I've found a dismaying number of people only using SPF and publishing p=reject anyway. As someone else noted, this is really a bug in the configuration, since the system doing the DMARC evaluation should do it relative to the MX, not some later hop. R's, John -- Regards, John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] DMARC is not disabled automatically at Office 365 when the MX is different
Thanks! And a valid point. :) Al On Mon, Mar 9, 2020 at 3:39 PM Kurt Andersen (DMARC) wrote: > > If the signature is not broken, then having DKIM pass is sufficient for a > DMARC pass (per the spec). Whether Exchange evaluates it correctly or not is > a different question :-) > > --Kurt > > On Mon, Mar 9, 2020 at 1:33 PM Al Iverson via dmarc-discuss > wrote: >> >> Dumb question time. In that scenario, if mail is forwarded with the >> DKIM signature intact, would that be good enough to still pass DMARC? >> Or will it fail because SPF now fails? >> >> Al >> >> On Mon, Mar 9, 2020 at 2:25 PM Ivan Kovachev via dmarc-discuss >> wrote: >> > >> > If only I could push them. >> > >> > On Mon, Mar 9, 2020, 18:32 Kurt Andersen wrote: >> >> >> >> This is not a topic for the DMARC protocol discussion list. You should >> >> probably be directing the inquiry to your Exchange support channel - and >> >> pushing Barracuda to implement ARC (RFC8617) too :-) >> >> >> >> Cheers, >> >> Kurt Andersen >> >> >> >> On Mon, Mar 9, 2020 at 11:20 AM Ivan Kovachev via dmarc-discuss >> >> wrote: >> >>> >> >>> Hello, It looks like Office 365 with a gateway in front such as >> >>> Barracuda or another gateway, still does DMARC validation inbound, and >> >>> quarantines any emails that fail DMARC validation. >> >>> >> >>> Should this not be the case since the MX of the receiving domain is that >> >>> of the Barracuda or whatever other gateway is used? >> >>> >> >>> DMARC validation passes at Barracuda, but then Barracuda makes changes >> >>> to the email which invalidates DKIM/DMARC and Office 365 quarantines >> >>> them, even though the email initially passed DMARC and was not >> >>> considered as SPAM at all. >> >>> >> >>> How can DMARC validation be turned off or disabled at Office 365 for the >> >>> above scenario? >> >>> >> >>> >> >>> >> >>> ___ >> >>> dmarc-discuss mailing list >> >>> dmarc-discuss@dmarc.org >> >>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss >> >>> >> >>> NOTE: Participating in this list means you agree to the DMARC Note Well >> >>> terms (http://www.dmarc.org/note_well.html) >> > >> > ___ >> > dmarc-discuss mailing list >> > dmarc-discuss@dmarc.org >> > http://www.dmarc.org/mailman/listinfo/dmarc-discuss >> > >> > NOTE: Participating in this list means you agree to the DMARC Note Well >> > terms (http://www.dmarc.org/note_well.html) >> >> >> >> -- >> al iverson // wombatmail // chicago >> dns tools are cool! https://xnnd.com >> ___ >> dmarc-discuss mailing list >> dmarc-discuss@dmarc.org >> http://www.dmarc.org/mailman/listinfo/dmarc-discuss >> >> NOTE: Participating in this list means you agree to the DMARC Note Well >> terms (http://www.dmarc.org/note_well.html) -- al iverson // wombatmail // chicago dns tools are cool! https://xnnd.com ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] DMARC is not disabled automatically at Office 365 when the MX is different
If the signature is not broken, then having DKIM pass is sufficient for a DMARC pass (per the spec). Whether Exchange evaluates it correctly or not is a different question :-) --Kurt On Mon, Mar 9, 2020 at 1:33 PM Al Iverson via dmarc-discuss < dmarc-discuss@dmarc.org> wrote: > Dumb question time. In that scenario, if mail is forwarded with the > DKIM signature intact, would that be good enough to still pass DMARC? > Or will it fail because SPF now fails? > > Al > > On Mon, Mar 9, 2020 at 2:25 PM Ivan Kovachev via dmarc-discuss > wrote: > > > > If only I could push them. > > > > On Mon, Mar 9, 2020, 18:32 Kurt Andersen wrote: > >> > >> This is not a topic for the DMARC protocol discussion list. You should > probably be directing the inquiry to your Exchange support channel - and > pushing Barracuda to implement ARC (RFC8617) too :-) > >> > >> Cheers, > >> Kurt Andersen > >> > >> On Mon, Mar 9, 2020 at 11:20 AM Ivan Kovachev via dmarc-discuss < > dmarc-discuss@dmarc.org> wrote: > >>> > >>> Hello, It looks like Office 365 with a gateway in front such as > Barracuda or another gateway, still does DMARC validation inbound, and > quarantines any emails that fail DMARC validation. > >>> > >>> Should this not be the case since the MX of the receiving domain is > that of the Barracuda or whatever other gateway is used? > >>> > >>> DMARC validation passes at Barracuda, but then Barracuda makes changes > to the email which invalidates DKIM/DMARC and Office 365 quarantines them, > even though the email initially passed DMARC and was not considered as SPAM > at all. > >>> > >>> How can DMARC validation be turned off or disabled at Office 365 for > the above scenario? > >>> > >>> > >>> > >>> ___ > >>> dmarc-discuss mailing list > >>> dmarc-discuss@dmarc.org > >>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss > >>> > >>> NOTE: Participating in this list means you agree to the DMARC Note > Well terms (http://www.dmarc.org/note_well.html) > > > > ___ > > dmarc-discuss mailing list > > dmarc-discuss@dmarc.org > > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) > > > > -- > al iverson // wombatmail // chicago > dns tools are cool! https://xnnd.com > ___ > dmarc-discuss mailing list > dmarc-discuss@dmarc.org > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) > ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] DMARC is not disabled automatically at Office 365 when the MX is different
On 3/9/2020 1:29 PM, Al Iverson via dmarc-discuss wrote: Dumb question time. In that scenario, if mail is forwarded with the DKIM signature intact, would that be good enough to still pass DMARC? Or will it fail because SPF now fails? DMARC allows either SPF or DKIM success. as long as the validated domain aligns with the rfc5322.From domain. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] DMARC is not disabled automatically at Office 365 when the MX is different
Dumb question time. In that scenario, if mail is forwarded with the DKIM signature intact, would that be good enough to still pass DMARC? Or will it fail because SPF now fails? Al On Mon, Mar 9, 2020 at 2:25 PM Ivan Kovachev via dmarc-discuss wrote: > > If only I could push them. > > On Mon, Mar 9, 2020, 18:32 Kurt Andersen wrote: >> >> This is not a topic for the DMARC protocol discussion list. You should >> probably be directing the inquiry to your Exchange support channel - and >> pushing Barracuda to implement ARC (RFC8617) too :-) >> >> Cheers, >> Kurt Andersen >> >> On Mon, Mar 9, 2020 at 11:20 AM Ivan Kovachev via dmarc-discuss >> wrote: >>> >>> Hello, It looks like Office 365 with a gateway in front such as Barracuda >>> or another gateway, still does DMARC validation inbound, and quarantines >>> any emails that fail DMARC validation. >>> >>> Should this not be the case since the MX of the receiving domain is that of >>> the Barracuda or whatever other gateway is used? >>> >>> DMARC validation passes at Barracuda, but then Barracuda makes changes to >>> the email which invalidates DKIM/DMARC and Office 365 quarantines them, >>> even though the email initially passed DMARC and was not considered as SPAM >>> at all. >>> >>> How can DMARC validation be turned off or disabled at Office 365 for the >>> above scenario? >>> >>> >>> >>> ___ >>> dmarc-discuss mailing list >>> dmarc-discuss@dmarc.org >>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss >>> >>> NOTE: Participating in this list means you agree to the DMARC Note Well >>> terms (http://www.dmarc.org/note_well.html) > > ___ > dmarc-discuss mailing list > dmarc-discuss@dmarc.org > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well terms > (http://www.dmarc.org/note_well.html) -- al iverson // wombatmail // chicago dns tools are cool! https://xnnd.com ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] DMARC is not disabled automatically at Office 365 when the MX is different
If only I could push them. On Mon, Mar 9, 2020, 18:32 Kurt Andersen wrote: > This is not a topic for the DMARC protocol discussion list. You should > probably be directing the inquiry to your Exchange support channel - and > pushing Barracuda to implement ARC (RFC8617) too :-) > > Cheers, > Kurt Andersen > > On Mon, Mar 9, 2020 at 11:20 AM Ivan Kovachev via dmarc-discuss < > dmarc-discuss@dmarc.org> wrote: > >> Hello, It looks like Office 365 with a gateway in front such as Barracuda >> or another gateway, still does DMARC validation inbound, and quarantines >> any emails that fail DMARC validation. >> >> Should this not be the case since the MX of the receiving domain is that >> of the Barracuda or whatever other gateway is used? >> >> DMARC validation passes at Barracuda, but then Barracuda makes changes to >> the email which invalidates DKIM/DMARC and Office 365 quarantines them, >> even though the email initially passed DMARC and was not considered as SPAM >> at all. >> >> How can DMARC validation be turned off or disabled at Office 365 for the >> above scenario? >> >> >> >> ___ >> dmarc-discuss mailing list >> dmarc-discuss@dmarc.org >> http://www.dmarc.org/mailman/listinfo/dmarc-discuss >> >> NOTE: Participating in this list means you agree to the DMARC Note Well >> terms (http://www.dmarc.org/note_well.html) >> > ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
