Re: [dmarc-discuss] dmarc Newbie

2019-05-12 Thread Roland Turner via dmarc-discuss 

Hello,

The problem that DMARC solves over the SPF -all and ADSP discardable 
mechanisms is that it allows you to see where authentication failures 
are coming from (which IP addresses) so you can fix errors/oversights 
before you disrupt legitimate email flow. The recommended action is 
therefore to review the failures and ensure that they aren't:


 * your own flows, with SPF/DKIM misconfiguration; or
 * third-party flows sent legitimately on your organisation's behalf
   (outsourced marketing functions, transactional systems, ...) but
   without appropriate authentication (generally DKIM with a different
   selector(-pair))

before you turn on p=reject.

- Roland





On 13/5/19 2:44 am, MyKonfidi Solar wrote:

Hey

Request you to suggest what exactly we are supposed to watch in th 
dmarc reports.  I had been getting all these xml files, earlier, later 
i tuned to https://dmarcanalyzer.com , 
and now to https://mxtoolbox.com . nowehere i 
am given to understand the action statement.


regards
Chetan Agrawal
India

On Fri, 10 May 2019 at 07:32, Roland Turner via dmarc-discuss 
mailto:dmarc-discuss@dmarc.org>> wrote:


Hi Andrew,

The first question is what you're seeing in the aggregate feedback
reports (Dmarcian, Agari, etc. provide the means to do this).
These should be watched for a period of time (I'd suggest weeks)
to ensure that all is well before you turn on p=reject. The most
important new capability that DMARC provides over previous
approaches is this ability to see what's happening in receiving
environments and to correct errors in your configuration (or your
understanding of how your domain is used) before you adopt a
stricter policy.

- Roland


On 10/5/19 1:55 am, Wojtowicz, Andrew via dmarc-discuss wrote:


I’m a newbie with dmarc.  I’ve been playing around with some
generators and I thought I had it setup right but found out today
one of my staff members sent out an notification email, that uses
blackboard, and it didn’t go to all gmail and yahoo users.

Saw this message in log..

SMTP error from remote mail server after pipelined end of data:
550-5.7.1 Unauthenticated email from /(My domain)/ is not
accepted due to\n550-5.7.1 domain's DMARC policy. Please contact
the administrator of\n550-5.7.1 /(My Domain)/ domain if this was
a legitimate mail. Please visit\n550-5.7.1
https://support.google.com/mail/answer/2451690
 to learn about
the\n550 5.7.1 DMARC initiative. z37si617489qvc.90 - gsmtp

Where can I get some help on setting up the correct dmarc dns
setting?

Thank you

Andrew Wojtowicz

Network Engineer

Tenafly Public Schools

500 Tenafly Rd

Tenafly, NJ 07670

Work - (201) 816-4555

Cell – (201) 563-9661

Email - awojtow...@tenafly.k12.nj.us


shield logo (Custom) (2)


/NOTICE: This email message, including any attachment(s), is for
the sole use of the intended recipient and may contain
confidential and privileged information. Any unauthorized review,
use, disclosure or distribution is prohibited. If you are not the
intended recipient, please contact the sender by reply email and
destroy all copies of the original message. /

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org  
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well 
terms (http://www.dmarc.org/note_well.html)



___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org 
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note
Well terms (http://www.dmarc.org/note_well.html)



___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] dmarc Newbie

2019-05-10 Thread Paul Smith via dmarc-discuss 

On 10/05/2019 02:57, Roland Turner via dmarc-discuss wrote:

Hi Andrew,

The first question is what you're seeing in the aggregate feedback 
reports (Dmarcian, Agari, etc. provide the means to do this). These 
should be watched for a period of time (I'd suggest weeks) to ensure 
that all is well before you turn on p=reject.


Also, make sure that every 'type' of email you send is sent and checked 
from the reports as well.


I had to help someone recently who thought it was all OK, but they'd not 
checked their occasional newsletter mailing list, which was failing 
DMARC due to them not setting up their mailing list service provider 
account properly. They hadn't noticed because they hadn't sent a 
newsletter during the 'analysis' period.



--


Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53

Sign up for news & updates at http://www.pscs.co.uk/go/subscribe
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] dmarc Newbie

2019-05-09 Thread Roland Turner via dmarc-discuss 

Hi Andrew,

The first question is what you're seeing in the aggregate feedback 
reports (Dmarcian, Agari, etc. provide the means to do this). These 
should be watched for a period of time (I'd suggest weeks) to ensure 
that all is well before you turn on p=reject. The most important new 
capability that DMARC provides over previous approaches is this ability 
to see what's happening in receiving environments and to correct errors 
in your configuration (or your understanding of how your domain is used) 
before you adopt a stricter policy.


- Roland


On 10/5/19 1:55 am, Wojtowicz, Andrew via dmarc-discuss wrote:


I’m a newbie with dmarc.  I’ve been playing around with some 
generators and I thought I had it setup right but found out today one 
of my staff members sent out an notification email, that uses 
blackboard, and it didn’t go to all gmail and yahoo users.


Saw this message in log..

SMTP error from remote mail server after pipelined end of data: 
550-5.7.1 Unauthenticated email from /(My domain)/ is not accepted due 
to\n550-5.7.1 domain's DMARC policy. Please contact the administrator 
of\n550-5.7.1 /(My Domain)/ domain if this was a legitimate mail. 
Please visit\n550-5.7.1 https://support.google.com/mail/answer/2451690 
 to learn about 
the\n550 5.7.1 DMARC initiative. z37si617489qvc.90 - gsmtp


Where can I get some help on setting up the correct dmarc dns setting?

Thank you

Andrew Wojtowicz

Network Engineer

Tenafly Public Schools

500 Tenafly Rd

Tenafly, NJ 07670

Work - (201) 816-4555

Cell – (201) 563-9661

Email - awojtow...@tenafly.k12.nj.us 

shield logo (Custom) (2)


/NOTICE: This email message, including any attachment(s), is for the 
sole use of the intended recipient and may contain confidential and 
privileged information. Any unauthorized review, use, disclosure or 
distribution is prohibited. If you are not the intended recipient, 
please contact the sender by reply email and destroy all copies of the 
original message. /


___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)



___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] dmarc Newbie

2019-05-09 Thread lists--- via dmarc-discuss 
I think your spf record include is wrong. You have
include:spf.bbnotify.net, but it should be include:_spf.bbnotify.net.
Note the underscore. 

On 2019-05-09 12:55 pm, Wojtowicz, Andrew via dmarc-discuss wrote:

> I'm a newbie with dmarc.  I've been playing around with some generators and I 
> thought I had it setup right but found out today one of my staff members sent 
> out an notification email, that uses blackboard, and it didn't go to all 
> gmail and yahoo users.  
> 
> Saw this message in log.. 
> 
> SMTP error from remote mail server after pipelined end of data: 550-5.7.1 
> Unauthenticated email from _(My domain)_ is not accepted due to\n550-5.7.1 
> domain's DMARC policy. Please contact the administrator of\n550-5.7.1 _(My 
> Domain)_ domain if this was a legitimate mail. Please visit\n550-5.7.1 
> https://support.google.com/mail/answer/2451690 [1] to learn about the\n550 
> 5.7.1 DMARC initiative. z37si617489qvc.90 - gsmtp 
> 
> Where can I get some help on setting up the correct dmarc dns setting? 
> 
> Thank you 
> 
> Andrew Wojtowicz 
> 
> Network Engineer 
> 
> Tenafly Public Schools 
> 
> 500 Tenafly Rd 
> 
> Tenafly, NJ 07670 
> 
> Work - (201) 816-4555 
> 
> Cell - (201) 563-9661 
> 
> Email - awojtow...@tenafly.k12.nj.us 
> 
> _NOTICE: This email message, including any attachment(s), is for the sole use 
> of the intended recipient and may contain confidential and privileged 
> information. Any unauthorized review, use, disclosure or distribution is 
> prohibited. If you are not the intended recipient, please contact the sender 
> by reply email and destroy all copies of the original message. _
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
> 
> NOTE: Participating in this list means you agree to the DMARC Note Well terms 
> (http://www.dmarc.org/note_well.html)
 

Links:
--
[1] https://support.google.com/mail/answer/2451690___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] dmarc Newbie

2019-05-09 Thread lists--- via dmarc-discuss 
You can use this site to validate your dmarc record:
https://dmarcian.com/dmarc-inspector/ 

It sounds like your dmarc record may be fine, but the notification email
failed the SPF and DKIM checks because it was sent by a third party
service.  

Is this the  Blackboard you're referring to? 
https://help.blackboard.com/Community_Engagement/Administrator/Best_Practices/Messages_with_Mass_Notification/Best_Practices_Optimize_Email_Delivery


On 2019-05-09 12:55 pm, Wojtowicz, Andrew via dmarc-discuss wrote:

> I'm a newbie with dmarc.  I've been playing around with some generators and I 
> thought I had it setup right but found out today one of my staff members sent 
> out an notification email, that uses blackboard, and it didn't go to all 
> gmail and yahoo users.  
> 
> Saw this message in log.. 
> 
> SMTP error from remote mail server after pipelined end of data: 550-5.7.1 
> Unauthenticated email from _(My domain)_ is not accepted due to\n550-5.7.1 
> domain's DMARC policy. Please contact the administrator of\n550-5.7.1 _(My 
> Domain)_ domain if this was a legitimate mail. Please visit\n550-5.7.1 
> https://support.google.com/mail/answer/2451690 [1] to learn about the\n550 
> 5.7.1 DMARC initiative. z37si617489qvc.90 - gsmtp 
> 
> Where can I get some help on setting up the correct dmarc dns setting? 
> 
> Thank you 
> 
> Andrew Wojtowicz 
> 
> Network Engineer 
> 
> Tenafly Public Schools 
> 
> 500 Tenafly Rd 
> 
> Tenafly, NJ 07670 
> 
> Work - (201) 816-4555 
> 
> Cell - (201) 563-9661 
> 
> Email - awojtow...@tenafly.k12.nj.us 
> 
> _NOTICE: This email message, including any attachment(s), is for the sole use 
> of the intended recipient and may contain confidential and privileged 
> information. Any unauthorized review, use, disclosure or distribution is 
> prohibited. If you are not the intended recipient, please contact the sender 
> by reply email and destroy all copies of the original message. _
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
> 
> NOTE: Participating in this list means you agree to the DMARC Note Well terms 
> (http://www.dmarc.org/note_well.html)
 

Links:
--
[1] https://support.google.com/mail/answer/2451690___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] dmarc Newbie

2019-05-09 Thread Steven M Jones via dmarc-discuss 
On 5/9/19 10:55 AM, Wojtowicz, Andrew via dmarc-discuss wrote:
>
> I’m a newbie with dmarc.  I’ve been playing around with some
> generators and I thought I had it setup right but found out today one
> of my staff members sent out an notification email, that uses
> blackboard, and it didn’t go to all gmail and yahoo users. 
>

I'm guessing Blackboard is an application or service that may sometimes
send email on the user's behalf, and that they are using addresses in
your domain when sending from their servers. That's a known problem, you
might want to check the FAQ
(https://dmarc.org/wiki/FAQ#My_organization_uses_third-parties_senders.2C_how_can_I_get_them_DMARC_compliant.3F).

Did you have your DMARC policy set to "p=reject" at first? One should
generally start with "p=none" and check the reports to see who's sending
email that uses your domain in the From: address. It looks like you have
a "p=none" policy now - if we're talking about our Tenafly domain...

It looks like you may be working with Agari, based on that DMARC record.
But if you're still looking for a company to help you navigate the
implementation process, you could take a look at the services listed on
the DMARC.org website: https://dmarc.org/resources/products-and-services/

--S.


___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] DMARC newbie, seems to work, so why this report?

2018-05-18 Thread Roland Turner via dmarc-discuss 

Gerben,

Note that the HELO string is only ever processed for DMARC if MAIL FROM 
is <> and, even then, not all implementations process it at all (it's 
dependent upon the behaviour of the underlying SPF implementation).


The  tag is telling you that the return path is 
{something}@mail.mydomain.tld [1]


dumbledore.mydomain.tld tells you that the 
From: header contains {something}@dumbledore.mydomain.tld, not the HELO 
string or MAIL FROM domain.


Generally this means that the program that generated the message used 
this domain and your MTA simply passed it through.


- Roland

1: or the return path is <> and the HELO string is mail.mydomain.tld, 
and Yahoo!'s SPF implementation reports that to DMARC




On 18/05/18 21:39, Gerben Wierda via dmarc-discuss wrote:
I’m setting up DMARC for my mail server. I tried sending a mail to an 
account on the icloud.com  domain (which reports 
DMARC) and there I see:


Received-Spf: pass (mr21p00im-spfmilter004.me.com 
: domain of myn...@mydomain.tld 
 designates XXX.XXX.XXX.XXX as permitted 
sender) receiver=mr21p00im-spfmilter004.me.com 
; client-ip=XXX.XXX.XXX.XXX; 
helo=mail.mydomain.tld; envelope-from=myn...@mydomain.tld 


X-Dmarc-Info: pass=pass; dmarc-policy=none; s=r1; d=r0
X-Dmarc-Policy: 
v=DMARC1;p=none;sp=quarantine;pct=100;rua=mailto:dm...@mydomain.tld,mailto:re+vghcolsq...@dmarc.postmarkapp.com
Received: from mr11p00im-smtpin012.mac.com 
 ([17.110.69.200]) by 
ms20524.mac.com  (Oracle Communications 
Messaging Server 8.0.1.3.20170906 64bit (built Sep  6 2017)) with 
ESMTP id <0p8x00kcde2dm...@ms20524.mac.com 
> for myn...@icloud.com 
; Fri, 18 May 2018 13:13:25 + (GMT)
Received: from mail.mydomain.tld (mail.mydomain.tld [XXX.XXX.XXX.XXX]) 
by mr11p00im-smtpin012.me.com  
(Oracle Communications Messaging Server 8.0.1.2.20170607 64bit (built 
Jun  7 2017)) with ESMTPS id 
<0p8x00h3ve2al...@mr11p00im-smtpin012.me.com 
> for 
myn...@icloud.com  (ORCPT myn...@icloud.com 
); Fri, 18 May 2018 13:13:24 + (GMT)
Received: from localhost (localhost [127.0.0.1])by mail.mydomain.tld 
(Postfix) with ESMTP id 57F0B261CB53for >; Fri, 18 May 2018 15:13:21 +0200 (CEST)
Received: from mail.mydomain.tld ([127.0.0.1]) by localhost 
(dumbledore.mydomain.tld [127.0.0.1]) (amavisd-new, port 10024) with 
ESMTP id b6L6g5ttGPiH for >;Fri, 18 May 2018 15:13:19 +0200 (CEST)
Received: from [192.168.169.103] (d4b27fea.static.ziggozakelijk.nl 
 [212.178.127.234])by 
mail.mydomain.tld (Postfix) with ESMTPSA id 057A3261CB45for 
mailto:myn...@icloud.com>>; Fri, 18 May 2018 
15:13:18 +0200 (CEST)


But I also got an aggregate report from Yahoo that suggests something 
is wrong:





Yahoo! Inc.
postmas...@dmarc.yahoo.com 


1526605741.475970

1526515200
1526601599 



mydomain.tld
r
r
none
100



XXX.XXX.XXX.XXX
1

quarantine
fail
fail



dumbledore.mydomain.tld




neutral


mail.mydomain.tld
none





This seems to suggest that Yahoo received an email from my MTA at IP 
address XXX.XXX.XXX.XXX (which is the correct IP of mail.mydomain.tld) 
but the header was dumbledore.mydomain.tld. Is that correct? That is 
weird, because my mail server is set to use 'helo mail.mydomain.tld'. 
So, apparently, it seems some program on my server is trying to send 
mail to a yahoo MTA bypassing my mail server, correct? If so, it is an 
unexpected catch. But I need to know if it is correct.


Thanks in advance

Gerben


___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)



___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] DMARC newbie, seems to work, so why this report?

2018-05-18 Thread Vladimir Dubrovin via dmarc-discuss 

Hello,

most probably, the message received by Yahoo is NDR or DSN message
generated by your host. In this case, envelope-from address is empty and
SPF is checked against HELO

      
        mail.mydomain.tld
        none
      

From: probably has something like

From: mailer-dae...@dumbledore.mydomin.tld.

RFC 7208 requires you to place SPF record for domain used in HELO
exectly for this case. Adding

mail.mydomain.tld. TXT "v=spf1 a -all"

will fix the issue.

18.05.2018 16:39, Gerben Wierda via dmarc-discuss пишет:
> I’m setting up DMARC for my mail server. I tried sending a mail to an
> account on the icloud.com  domain (which reports
> DMARC) and there I see:
>
> Received-Spf: pass (mr21p00im-spfmilter004.me.com
> : domain of myn...@mydomain.tld
>  designates XXX.XXX.XXX.XXX as permitted
> sender) receiver=mr21p00im-spfmilter004.me.com
> ; client-ip=XXX.XXX.XXX.XXX;
> helo=mail.mydomain.tld; envelope-from=myn...@mydomain.tld
> 
> X-Dmarc-Info: pass=pass; dmarc-policy=none; s=r1; d=r0
> X-Dmarc-Policy:
> v=DMARC1;p=none;sp=quarantine;pct=100;rua=mailto:dm...@mydomain.tld,mailto:re+vghcolsq...@dmarc.postmarkapp.com
> Received: from mr11p00im-smtpin012.mac.com
>  ([17.110.69.200]) by
> ms20524.mac.com  (Oracle Communications
> Messaging Server 8.0.1.3.20170906 64bit (built Sep  6 2017)) with
> ESMTP id <0p8x00kcde2dm...@ms20524.mac.com
> > for myn...@icloud.com
> ; Fri, 18 May 2018 13:13:25 + (GMT)
> Received: from mail.mydomain.tld (mail.mydomain.tld [XXX.XXX.XXX.XXX])
> by mr11p00im-smtpin012.me.com 
> (Oracle Communications Messaging Server 8.0.1.2.20170607 64bit (built
> Jun  7 2017)) with ESMTPS id
> <0p8x00h3ve2al...@mr11p00im-smtpin012.me.com
> > for
> myn...@icloud.com  (ORCPT myn...@icloud.com
> ); Fri, 18 May 2018 13:13:24 + (GMT)
> Received: from localhost (localhost [127.0.0.1])by mail.mydomain.tld
> (Postfix) with ESMTP id 57F0B261CB53for  >; Fri, 18 May 2018 15:13:21 +0200 (CEST)
> Received: from mail.mydomain.tld ([127.0.0.1]) by localhost
> (dumbledore.mydomain.tld [127.0.0.1]) (amavisd-new, port 10024) with
> ESMTP id b6L6g5ttGPiH for  >;Fri, 18 May 2018 15:13:19 +0200 (CEST)
> Received: from [192.168.169.103] (d4b27fea.static.ziggozakelijk.nl
>  [212.178.127.234])by
> mail.mydomain.tld (Postfix) with ESMTPSA id 057A3261CB45for
> mailto:myn...@icloud.com>>; Fri, 18 May 2018
> 15:13:18 +0200 (CEST)
>
> But I also got an aggregate report from Yahoo that suggests something
> is wrong:
>
> 
> 
>   
>     Yahoo! Inc.
>     postmas...@dmarc.yahoo.com
> 
>     1526605741.475970
>     
>       1526515200
>       1526601599 
>     
>   
>   
>     mydomain.tld
>     r
>     r
>     none
>     100
>   
>   
>     
>       XXX.XXX.XXX.XXX
>       1
>       
>         quarantine
>         fail
>         fail
>       
>     
>     
>       dumbledore.mydomain.tld
>     
>     
>       
>         
>         neutral
>       
>       
>         mail.mydomain.tld
>         none
>       
>     
>   
> 
>
> This seems to suggest that Yahoo received an email from my MTA at IP
> address XXX.XXX.XXX.XXX (which is the correct IP of mail.mydomain.tld)
> but the header was dumbledore.mydomain.tld. Is that correct? That is
> weird, because my mail server is set to use 'helo mail.mydomain.tld'.
> So, apparently, it seems some program on my server is trying to send
> mail to a yahoo MTA bypassing my mail server, correct? If so, it is an
> unexpected catch. But I need to know if it is correct.
>
> Thanks in advance
>
> Gerben
>
>
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well terms 
> (http://www.dmarc.org/note_well.html)


-- 
Vladimir Dubrovin
@Mail.Ru

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)