Re: DMARC/mailing list issue
Hello Sir, On 2023-12-25 22:16, jrmu wrote: Greetings, I'm attempting to send email to m...@openbsd.org, and getting a lot of DMARC failure reports. SPF, DKIM, and DMARC work fine for me when I am not using a mailing list. My SPF TXT record is For interacting with mailing lists, I use a domain with p=quarantine. Active users should already have figured out that lists like misc@ are not configured to support DMARC, and p=none is too easy to spoof for the worst offenders, so even just a simple MUA filter can move the messages out of the spam directory. Just my opinion here, but in 2023, lists not supporting DMARC are intentionally so. As you can see here with OpenSMTPD, the DKIM check using my domain's key will pass, AFAICT because the message is left largely unaltered and DMARC requires SPF OR DKIM authentication to pass using header.from. Not supporting DMARC keeps out people on any of the various freemail providers from meaningfully participating in a list. I see similar at daemonforums.org, which uses a yahoo.com FROM: address to send messages, so anyone with a server respecting p=reject (e.g., all freemail providers) will never receive any of their messages, including forum signups, which I believe to be an intentional technical filtering of users. "v=spf1 a mx ip4:198.251.82.194 -all" and my DMARC record is "v=DMARC1;p=none;pct=0;fo=1;rua=mailto:postmas...@ircnow.org;ruf=mailto:postmas...@ircnow.org; However, I sent two emails in the last 10 days, and received 20 failed DMARC reports. I am not sure if these two emails were received: https://marc.info/?l=openbsd-misc=170354063924689=2 https://marc.info/?l=openbsd-misc=170274207904871=2 As of today, I adjusted the DMARC record from p=quarantine to p=none, with hopes that fewer emails would get rejected. For p=quarantine, the messages should be sent to spam directories as opposed to p=reject, which most servers are configured to not send to the user account and in my experience is silently discarded. I'm not sure if 1) these failed DMARC reports are normal for mailing lists, and 2) if there's anything else I can do to reduce the failure rate. Below is a sample fastmail DMARC report: 1.0 Fastmail Pty Ltd repo...@fastmaildmarc.com https://fastmail.com/ 1054835552 1703462400 1703548799 ircnow.org none none 0 0 199.185.178.25 101 none fail fail trusted_forwarder Policy ignored due to local white list openbsd.org ircnow.org openbsd.org selector1 pass pass openbsd.org mfrom pass 148.251.123.12 1 none fail fail trusted_forwarder Policy ignored due to local white list openbsd.org ircnow.org openbsd.org selector1 pass pass openbsd.org mfrom softfail 173.228.157.40 1 none fail fail bounce2.pobox.com
DMARC/mailing list issue
Greetings, I'm attempting to send email to m...@openbsd.org, and getting a lot of DMARC failure reports. SPF, DKIM, and DMARC work fine for me when I am not using a mailing list. My SPF TXT record is "v=spf1 a mx ip4:198.251.82.194 -all" and my DMARC record is "v=DMARC1;p=none;pct=0;fo=1;rua=mailto:postmas...@ircnow.org;ruf=mailto:postmas...@ircnow.org; However, I sent two emails in the last 10 days, and received 20 failed DMARC reports. I am not sure if these two emails were received: https://marc.info/?l=openbsd-misc=170354063924689=2 https://marc.info/?l=openbsd-misc=170274207904871=2 As of today, I adjusted the DMARC record from p=quarantine to p=none, with hopes that fewer emails would get rejected. I'm not sure if 1) these failed DMARC reports are normal for mailing lists, and 2) if there's anything else I can do to reduce the failure rate. Below is a sample fastmail DMARC report: 1.0 Fastmail Pty Ltd repo...@fastmaildmarc.com https://fastmail.com/ 1054835552 1703462400 1703548799 ircnow.org none none 0 0 199.185.178.25 101 none fail fail trusted_forwarder Policy ignored due to local white list openbsd.org ircnow.org openbsd.org selector1 pass pass openbsd.org mfrom pass 148.251.123.12 1 none fail fail trusted_forwarder Policy ignored due to local white list openbsd.org ircnow.org openbsd.org selector1 pass pass openbsd.org mfrom softfail 173.228.157.40 1 none fail fail bounce2.pobox.com ircnow.org openbsd.org selector1 pass pass bounce2.pobox.com mfrom pass 216.40.44.19 1 none fail fail mailing_list Policy ignored due to local mailing list policy bullock.net ircnow.org openbsd.org selector1 pass pass
Re: dmarc reports - action required?
Thank you both for clearifying this. Now I can relax and may find anything useful to do with these reports. Please have a nice weekend. Kind regards, Michael p.s. Sorry Paul, I pressed the wrong button. :/ Am 26.11.2021 um 19:44 schrieb Paul Pace: On 11/26/21 8:57 AM, Michael Taubert wrote: Hi everyone! Recently I've received some dmarc reports from various hosts like google, yahoo, and so on. Are these reports of any use or just information for me? I mean, is there any action required when I got reports of failed dkim or spf? All the addresses in these reports does not belong to my mail server. So I think they just use my domain in the header to spam around. Well, at least, they trying to. I feel a bit lost as I don't know what to do about these reports. Thanks in advance. Kind regards, Michael I would guess these are aggregate reports being sent because the DMARC TXT record instructs them to: $ dig +short txt _dmarc.arachnodroid.de "v=DMARC1;p=none;pct=100;rua=mailto:postmas...@arachnodroid.de;; The aggregate reports are sent based on a time period. From RFC 7489 7.2[1]: > Visibility comes in the form of daily (or more frequent) Mail Receiver-originated feedback reports that contain aggregate data on message streams relevant to the Domain Owner. This information includes data about messages that passed DMARC authentication as well as those that did not. Paul [1] https://datatracker.ietf.org/doc/html/rfc7489#section-7.2
Re: dmarc reports - action required?
On 11/26/21 8:57 AM, Michael Taubert wrote: Hi everyone! Recently I've received some dmarc reports from various hosts like google, yahoo, and so on. Are these reports of any use or just information for me? I mean, is there any action required when I got reports of failed dkim or spf? All the addresses in these reports does not belong to my mail server. So I think they just use my domain in the header to spam around. Well, at least, they trying to. I feel a bit lost as I don't know what to do about these reports. Thanks in advance. Kind regards, Michael I would guess these are aggregate reports being sent because the DMARC TXT record instructs them to: $ dig +short txt _dmarc.arachnodroid.de "v=DMARC1;p=none;pct=100;rua=mailto:postmas...@arachnodroid.de;; The aggregate reports are sent based on a time period. From RFC 7489 7.2[1]: >Visibility comes in the form of daily (or more frequent) Mail Receiver-originated feedback reports that contain aggregate data on message streams relevant to the Domain Owner. This information includes data about messages that passed DMARC authentication as well as those that did not. Paul [1] https://datatracker.ietf.org/doc/html/rfc7489#section-7.2
dmarc reports - action required?
Hi everyone! Recently I've received some dmarc reports from various hosts like google, yahoo, and so on. Are these reports of any use or just information for me? I mean, is there any action required when I got reports of failed dkim or spf? All the addresses in these reports does not belong to my mail server. So I think they just use my domain in the header to spam around. Well, at least, they trying to. I feel a bit lost as I don't know what to do about these reports. Thanks in advance. Kind regards, Michael
Re: dmarc
On Sat, Jul 25, 2020 at 01:43:23PM +0200, Martijn van Duren wrote: > I'm not 100% sure what you mean, but let me give it a best effort. > > On Sat, 2020-07-25 at 11:00 +0200, Peter J. Philipp wrote: > > Hi, > > > > This is sorta a feature request. A lot of people use dmarc to check for > > incoming mails. Is there a way to turn off dmarc checking in the smtpd? > > This would be valuable for trusted sources such as mailing lists. > > This reads as if you want to disable checking on the receiving end, > which is smtpd. This is not needed since smtpd has no support for > DMARC, SPF, or DKIM verification at this moment. Oh sorry then. Well maybe keep it in mind in the future when this functionality is put into OpenSMTPD, perhaps then. Right now it's super annoying doing any posting, not that I can't handle it, it's more the economic footprint of posting. Let me try to explain below. > > Let me give you an example. I mail 1000 bytes to openbsd-misc and there is > > thousands of recipients on that mailing list. When their software delivers > > to these thousands I get a DNS request (I'm predicting 40 bytes in the > > question, > > and no less than 40 bytes in the answer * thousands) that's already a > > minimum > > of 80K bytes DNS traffic generated by a 1K byte mail. > > If you're worried about those numbers I would stop hosting DNS yourself > and just put it at a company who can handle it. I don't know if you're old enough to remember what a slashdotting is. In effect with all these dmarc requests out there you get a little slashdotting and it makes writing on small hosts to large mailing lists costly. This does have a natural "put your money where your mouth is", but it has an unneeded economical footprint. We're talking thousands of packets and MB of volume for 1 little post (especially when you have DNSSEC enabled and reply with a proof of non-existance to everyone). Now you can imagine where this goes when there is a large ML and everyone posts on it. Different parts of the Internet are lighting up and it's really a waste of electricity. > > It would be cool if OpenBSD could set a "X-DMARC-VERIFIED" header or > > something > > and based on a policy on every smtpd that receives this no dmarc dns request > > is caused. This would make me very happy. > > I'm not aware of this mail header, nor is google. Also this would make > your mail susceptible for a man in the middle to disabling DMARC. > > But if you want this header you should be able to do this quite easily > with a custom filter. The documentation is not installed by default, but > a draft is available in the smtpd soures: smtpd-filters.7. Something like this would be very good. The individual person will not care. So it's left to the makers of mail software to do something (if only for the need to burn less coal to make electricity). I may be noone but I think it's worthy raising this as the trend especially in the OpenBSD community is to be a small guy with a small self run network (I'm part of that). In effect this independence is causing a miscalculated evil. I'm just viewing this and saying "this could get out of control!". Oh I can handle it, but what if we grow 10x, 100x, 1000x, 1x do I want to see this or do I sign off the mailing lists? If email was more like a multicasting it would be very efficient, but then opensmtpd also wouldn't be needed anymore. So we need to be aware of the faults and side-effects of large unicasts that cause extra unicast lookups. > > > > Is this all technically possible? > > > > Best Regards, > > -peter > > > martijn@ Best Regards, -peter
Re: dmarc
I'm not 100% sure what you mean, but let me give it a best effort. On Sat, 2020-07-25 at 11:00 +0200, Peter J. Philipp wrote: > Hi, > > This is sorta a feature request. A lot of people use dmarc to check for > incoming mails. Is there a way to turn off dmarc checking in the smtpd? > This would be valuable for trusted sources such as mailing lists. This reads as if you want to disable checking on the receiving end, which is smtpd. This is not needed since smtpd has no support for DMARC, SPF, or DKIM verification at this moment. > > Let me give you an example. I mail 1000 bytes to openbsd-misc and there is > thousands of recipients on that mailing list. When their software delivers > to these thousands I get a DNS request (I'm predicting 40 bytes in the > question, > and no less than 40 bytes in the answer * thousands) that's already a minimum > of 80K bytes DNS traffic generated by a 1K byte mail. If you're worried about those numbers I would stop hosting DNS yourself and just put it at a company who can handle it. > > It would be cool if OpenBSD could set a "X-DMARC-VERIFIED" header or something > and based on a policy on every smtpd that receives this no dmarc dns request > is caused. This would make me very happy. I'm not aware of this mail header, nor is google. Also this would make your mail susceptible for a man in the middle to disabling DMARC. But if you want this header you should be able to do this quite easily with a custom filter. The documentation is not installed by default, but a draft is available in the smtpd soures: smtpd-filters.7. > > Is this all technically possible? > > Best Regards, > -peter > martijn@
dmarc
Hi, This is sorta a feature request. A lot of people use dmarc to check for incoming mails. Is there a way to turn off dmarc checking in the smtpd? This would be valuable for trusted sources such as mailing lists. Let me give you an example. I mail 1000 bytes to openbsd-misc and there is thousands of recipients on that mailing list. When their software delivers to these thousands I get a DNS request (I'm predicting 40 bytes in the question, and no less than 40 bytes in the answer * thousands) that's already a minimum of 80K bytes DNS traffic generated by a 1K byte mail. It would be cool if OpenBSD could set a "X-DMARC-VERIFIED" header or something and based on a policy on every smtpd that receives this no dmarc dns request is caused. This would make me very happy. Is this all technically possible? Best Regards, -peter
