Re: none SRS issues
On 12.01.23 18:24, Emmanuel Fusté wrote: For to address the forwarding problem, you should add ARC to the sending and verifying stack, It was designed specifically for that, but not widely used, it is pretty experimental. ARC requires you to trust ARC signer as it is third party. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Have you got anything without Spam in it? - Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
Re: none SRS issues
Emmanuel Fusté skrev den 2023-01-12 18:24: For to address the forwarding problem, you should add ARC to the sending and verifying stack, It was designed specifically for that, but not widely used, it is pretty experimental. fully implemented in rspamd and now spamassassin 4.0.0 just remember unaligned mails can pass on spf or dkim alone
Re: none SRS issues
Wietse Venema skrev den 2023-01-12 17:51: No. If SPF fail DMARC will fail too. No. If DKIM passes then DMARC should too (ncessary and sufficient). dmarc specs allow for spf pass only, where there is no dkim signed, eg if mail is not fully aligned it does not break spf pass only and spf does allow v=spf1 +all and all other variants of more then 256 allowed ips, sadly designed for unaligned mail
Re: none SRS issues
Emmanuel Fusté skrev den 2023-01-12 17:21: No. If SPF fail DMARC will fail too. only for aligned fully dmarc can pass on spf only aswell as only dkim pass some versions of dmarc validate arc seal / arc sign
Re: none SRS issues
Le 12/01/2023 à 19:45, post...@ptld.com a écrit : No SPF is OK, but as long as the domain of RFC822 MAIL FROM address has a SPF, this SPF must pass. DMARC will pass as long as either SPF or DMARC passes. DMARC will still pass if SPF fails and DKIM passes. I think you might be misinterpreting what you are reading. Regardless, in practice in the real world, that is how it works. That is what the OpenDMARC software does. That is what gmail does. https://www.rfc-editor.org/rfc/rfc7489#section-4.2 A message satisfies the DMARC checks if at least ONE OF the supported authentication mechanisms: produces a "pass" result, and ... is in alignment Ok, checked in the code. The described behavior is in my case caused by other reasons (even not SPF enforcement at the SPF level). Emmanuel.
Re: none SRS issues
No SPF is OK, but as long as the domain of RFC822 MAIL FROM address has a SPF, this SPF must pass. DMARC will pass as long as either SPF or DMARC passes. DMARC will still pass if SPF fails and DKIM passes. I think you might be misinterpreting what you are reading. Regardless, in practice in the real world, that is how it works. That is what the OpenDMARC software does. That is what gmail does. https://www.rfc-editor.org/rfc/rfc7489#section-4.2 A message satisfies the DMARC checks if at least ONE OF the supported authentication mechanisms: produces a "pass" result, and ... is in alignment
Re: none SRS issues
Le 12/01/2023 à 18:17, Emmanuel Fusté a écrit : Le 12/01/2023 à 17:51, Wietse Venema a écrit : Emmanuel Fust?: Le jeu. 12 janv. 2023, 17:15, a ?crit : Since I am using SPF as a validation method, the non-srs messages from those big providers will have possibility to break SPF and be rejected by our systems. Do you reject based on solely the SPF result? It would be better to use DMARC, have SPF only create the auth header and not reject, then let DMARC evaluate and decide to reject or not. DMARC will look for any DKIM signatures and if a signature is valid DMARC will accept the email even when SPF fails due to forwarding. No. If SPF fail DMARC will fail too. No. If DKIM passes then DMARC should too (ncessary and sufficient). Wietse Yes, necessary and sufficient, but any fail will result in a final fail : If SPF none & DKIM pass => pass. If SPF fail, it will fail even if DKIM passes. RFC7489, section 6.6.2, 4) an 5) Especially "All other conditions (authentication failures, identifier mismatches) are considered to be DMARC mechanism check failures." No SPF is OK, but as long as the domain of RFC822 MAIL FROM address has a SPF, this SPF must pass. On top of that DMARC will check the alignment of this domain with the domain of the RFC5322 From address with the published DMARC policy SPF requirement (aspf) strict or relaxed. For to address the forwarding problem, you should add ARC to the sending and verifying stack, It was designed specifically for that, but not widely used, it is pretty experimental. Emmanuel.
Re: none SRS issues
Le 12/01/2023 à 17:51, Wietse Venema a écrit : Emmanuel Fust?: Le jeu. 12 janv. 2023, 17:15, a ?crit : Since I am using SPF as a validation method, the non-srs messages from those big providers will have possibility to break SPF and be rejected by our systems. Do you reject based on solely the SPF result? It would be better to use DMARC, have SPF only create the auth header and not reject, then let DMARC evaluate and decide to reject or not. DMARC will look for any DKIM signatures and if a signature is valid DMARC will accept the email even when SPF fails due to forwarding. No. If SPF fail DMARC will fail too. No. If DKIM passes then DMARC should too (ncessary and sufficient). Wietse Yes, necessary and sufficient, but any fail will result in a final fail : If SPF none & DKIM pass => pass. If SPF fail, it will fail even if DKIM passes. RFC7489, section 6.6.2, 4) an 5) Especially "All other conditions (authentication failures, identifier mismatches) are considered to be DMARC mechanism check failures." No SPF is OK, but as long as the domain of RFC822 MAIL FROM address has a SPF, this SPF must pass. On top of that DMARC will check the alignment of this domain with the domain of the RFC5322 From address with the published DMARC policy SPF requirement (aspf) strict or relaxed. Emmanuel.
Re: none SRS issues
Emmanuel Fust?: > Le jeu. 12 janv. 2023, 17:15, a ?crit : > > > > Since I am using SPF as a validation method, the non-srs messages from > > those big providers will have possibility to break SPF and be rejected by > > our systems. > > > > Do you reject based on solely the SPF result? It would be better to use > > DMARC, have SPF only create the auth header and not reject, then let DMARC > > evaluate and decide to reject or not. > > > > DMARC will look for any DKIM signatures and if a signature is valid DMARC > > will accept the email even when SPF fails due to forwarding. > > > No. If SPF fail DMARC will fail too. No. If DKIM passes then DMARC should too (ncessary and sufficient). Wietse
Re: none SRS issues
Le jeu. 12 janv. 2023, 17:15, a écrit : > > Since I am using SPF as a validation method, the non-srs messages from > those big providers will have possibility to break SPF and be rejected by > our systems. > > Do you reject based on solely the SPF result? It would be better to use > DMARC, have SPF only create the auth header and not reject, then let DMARC > evaluate and decide to reject or not. > > DMARC will look for any DKIM signatures and if a signature is valid DMARC > will accept the email even when SPF fails due to forwarding. > No. If SPF fail DMARC will fail too. Emmanuel.
Re: none SRS issues
Since I am using SPF as a validation method, the non-srs messages from those big providers will have possibility to break SPF and be rejected by our systems. Do you reject based on solely the SPF result? It would be better to use DMARC, have SPF only create the auth header and not reject, then let DMARC evaluate and decide to reject or not. DMARC will look for any DKIM signatures and if a signature is valid DMARC will accept the email even when SPF fails due to forwarding.
Re: none SRS issues
> Do you know why many providers even those big ones didn't implement SRS when > forwarding email to other ESP? > > for instance, outlook.com, mail.ru, and even google domains who has > specificed email forwarding feature for their domain users, don't have SRS > enabled in their forwarded messages. > > Since I am using SPF as a validation method, the non-srs messages from those > big providers will have possibility to break SPF and be rejected by our > systems. > > How to improve this then? External forwards are problematic nowadays. Some providers offer pop3/imap fetchmail to poll external mailboxes instead. Best regards Gerald
none SRS issues
greetings, Do you know why many providers even those big ones didn't implement SRS when forwarding email to other ESP? for instance, outlook.com, mail.ru, and even google domains who has specificed email forwarding feature for their domain users, don't have SRS enabled in their forwarded messages. Since I am using SPF as a validation method, the non-srs messages from those big providers will have possibility to break SPF and be rejected by our systems. How to improve this then? Thanks.