On 03/12/2023 00:54, Matus UHLAR - fantomas wrote:
DMARC doesn't say that SPF must be aligned with From:.
It only says that SPF can only be used if envelope from is aligned with
header From:.
if you use _relaxed_ only _one_ need pass so why if you use _relaxed_
would you expect it to mail
On 21.11.23 12:06, Noel Butler wrote:
But they are inter-twined,
DMARC just does what DKIM and SPF declare, so any perceived DMARC
issues *do* include DKIM and SPF
On 28/11/2023 19:45, Matus UHLAR - fantomas wrote:
but this is irelevant here.
On 02.12.23 13:25, Noel Butler wrote:
We will
On 28/11/2023 19:45, Matus UHLAR - fantomas wrote:
On 21.11.23 12:06, Noel Butler wrote: But they are inter-twined, DMARC
just does what DKIM and SPF declare, so any perceived DMARC issues *do*
include DKIM and SPF
but this is irelevant here.
We will have to agree to disagree
Not "a pass
I agree that DKIM designers messed this up quite much.
But again, we are here talking about DMARC.
On 21.11.23 12:06, Noel Butler wrote:
But they are inter-twined, DMARC just does what DKIM and SPF declare,
so any perceived DMARC issues *do* include DKIM and SPF
but this is irelevant here.
On November 28, 2023 12:36:11 AM UTC, Noel Butler
wrote:
>On 21/11/2023 20:08, Matus UHLAR - fantomas wrote:
>
>> On 21.11.23 12:06, Noel Butler wrote:
>>
>>> This also depends on how you set DKIM's canonicalization
>>
>> this is a (known) problem of DKIM and playing with DMARC will not
On 21/11/2023 20:08, Matus UHLAR - fantomas wrote:
On 21.11.23 12:06, Noel Butler wrote:
This also depends on how you set DKIM's canonicalization
this is a (known) problem of DKIM and playing with DMARC will not solve
it.
Anyone using simple/simple should have a DKIM fail and plenty use
On 16/11/2023 18:47, Matus UHLAR - fantomas wrote:
Keeping header From: and DKIM signatures is perfectly fine, if ML
does not modify the mail, which afaik is the default setting.
On 21.11.23 12:06, Noel Butler wrote:
This also depends on how you set DKIM's canonicalization
this is a (known)
On 16/11/2023 18:47, Matus UHLAR - fantomas wrote:
Keeping header From: and DKIM signatures is perfectly fine, if ML does
not modify the mail, which afaik is the default setting.
This also depends on how you set DKIM's canonicalization
there is also a mailman setting to remove existing DKIM
On 11/14/23 22:03, Noel Butler wrote: I would understand if those
reports were required for DKIM fail or SPF fail, but missing aligned
SPF pass is something common with mailing lists.
You only get them on failures not every message, and no, not all
mailing lists fail on DKIM, those who take the
On 11/15/23 21:13, Noel Butler wrote:
On 15/11/2023 13:59, Dave McGuire wrote:
On 11/14/23 22:03, Noel Butler wrote:
I would understand if those reports were required for DKIM fail or
SPF fail, but missing aligned SPF pass is something common with
mailing lists.
You only get them on
On 15/11/2023 13:59, Dave McGuire wrote:
On 11/14/23 22:03, Noel Butler wrote: I would understand if those
reports were required for DKIM fail or SPF fail, but missing aligned
SPF pass is something common with mailing lists.
You only get them on failures not every message, and no, not all
On 15.11.23 10:46, Damian wrote:
If there is anything hostile to mailing lists in DMARC
specification, it's this.
...
The mailing list has nothing to do with that.
Seems contradictory to me.
Not a tiniest little bit.
This is problem of forwarding, not problem of mailing lists.
Mailing
If there is anything hostile to mailing lists in DMARC specification,
it's this.
...
The mailing list has nothing to do with that.
Seems contradictory to me.
If you fo=1 on your domain:
You will get bombed ...
Those are the same `you`s, are they not? `you` get what `you` wished
for. If
This in my understanding generates failure reports for any forwarded
mail including any mail to lists that do not completely rewrite
From:
(including this one mailing list)
- even if DKIM is preserved and valid, such mail won't generate
aligned SPF pass
unless you have better explanation
This in my understanding generates failure reports for any forwarded
mail including any mail to lists that do not completely rewrite From:
(including this one mailing list)
- even if DKIM is preserved and valid, such mail won't generate
aligned SPF pass
unless you have better explanation
On 14/11/2023 23:00, Matus UHLAR - fantomas wrote:
That's not what I was talking about.
If anyone sets fo=0 in dmarc record of a domain, they will get
notification for every mail from their domain that gets forwarded
through a mailing list
(or via other means)
I would understand if those
On 11/14/23 22:03, Noel Butler wrote:
I would understand if those reports were required for DKIM fail or SPF
fail, but missing aligned SPF pass is something common with mailing lists.
You only get them on failures not every message, and no, not all mailing
lists fail on DKIM, those who take
On 14/11/2023 23:00, Matus UHLAR - fantomas wrote:
That's not what I was talking about.
If anyone sets fo=0 in dmarc record of a domain, they will get
notification for every mail from their domain that gets forwarded
through a mailing list
(or via other means)
I would understand if those
Looking at it, fo=0 should generate dmarc report for each individual
mail forwarded, either through mailing list or via other ways.
If there is anything hostile to mailing lists in DMARC
specification, it's this.
On 13.11.23 10:00, Damian wrote:
Why would someone pick a mailing list address
Looking at it, fo=0 should generate dmarc report for each individual
mail forwarded, either through mailing list or via other ways.
If there is anything hostile to mailing lists in DMARC specification,
it's this.
Why would someone pick a mailing list address as their ruf?
On 12/11/23 15:10, Noel Butler wrote:
DMARC (thus OpenDMARC) makes its decision based on the senders DMARC
fo policy -
if policy uses fo=0 then yes, both SPF and DKIM must exist, and
both must pass.
if policy uses fo=1 then no, as a minimum /either/ SPF or DKIM must
exist, and pass, so
On 11.11.23 10:55, Dino Edwards wrote:
to be more precise: OpenDMARC running as milter only sees output from
milters applied before it.
Milter is run pre-queue and content_filter is run after queue, so opendmarc
does not see that amavis produced, because it was added later.
If you used
if policy uses fo=0 then yes, both SPF and DKIM must exist, and both must pass.
if policy uses fo=1 then no, as a minimum /either/ SPF or DKIM must exist, and pass, so DMARC will work with only SPF or only
DKIM, it will also work with both, which has the advantage that only one of these must
On 12/11/2023 14:04, Noel Butler wrote:
My understanding of the "fo" option is that it is only used for
reporting. i.e. It doesn't control whether the received email is
accepted or not, which is always based on _either_ SPF or DKIM checks
passing.
From RFC 7489:
fo: Failure reporting
On 12/11/2023 13:03, Nick Tait wrote:
On 12/11/23 15:10, Noel Butler wrote:
DMARC (thus OpenDMARC) makes its decision based on the senders DMARC
fo policy -
if policy uses fo=0 then yes, both SPF and DKIM must exist, and both
must pass.
if policy uses fo=1 then no, as a minimum
On 12/11/23 15:10, Noel Butler wrote:
DMARC (thus OpenDMARC) makes its decision based on the senders DMARC
fo policy -
if policy uses fo=0 then yes, both SPF and DKIM must exist, and both
must pass.
if policy uses fo=1 then no, as a minimum /either/ SPF or DKIM must
exist, and pass, so
On 12/11/2023 02:02, Dino Edwards wrote:
That's correct, if you're using only opendmarc just the
inet:127.0.0.1:54321 is needed, thats all you need, are you sure it
>is adding sigs on sending? send an email to check-a...@verifier.port25.com wait a minute then check its results email.
If
>the domain you're using now has quarantine policy :)
It sure does, but I don’t have a problem with outgoing e-mail. Only incoming
unless I’m not understanding what you are saying.
>That's correct, if you're using only opendmarc just the inet:127.0.0.1:54321
>is needed, thats all you need,
>to be more precise: OpenDMARC running as milter only sees output from
milters applied before it.
>Milter is run pre-queue and content_filter is run after queue, so opendmarc
does not see that amavis produced, because it was added later.
>If you used amavisd-milter at SMTP port, opendmarc
On 11/11/2023 23:03, Dino Edwards wrote:
most DMARC's I find still use quarantine, what responses are you
seeing for them?
I don't have any p=quarantine examples right now.
the domain you're using now has quarantine policy :)
o dont need to setup amavisd as a milter if its working fine
So Amavis is setup as an smtpd_milter as well?
No, Amavis is setup as a content_filter (content_filter =
amavis:[127.0.0.1]:10021)
On 11.11.23 11:34, Damian wrote:
You can't do that. OpenDMARC needs to see Authentication-Results for DKIM.
to be more precise: OpenDMARC running as milter
On 11/11/2023 18:07, Damian wrote:
Also, since they allude to "some passing", I guess they did remember to set
enable_dkim_verification=1 ?
"Some passing OpenDMARC" might mean that they pass SPF-based only.
>true if using fo=1
To be clear, Amavis is setup like below:
>most DMARC's I find still use quarantine, what responses are you seeing for
>them?
I don’t have any p=quarantine examples right now.
>You also dont need to setup amavisd as a milter if its working fine already.
Well, I can see Damien’s point here. Originally with OpenDKIM the Postfix
On 11/11/2023 18:07, Damian wrote:
Also, since they allude to "some passing", I guess they did remember
to set enable_dkim_verification=1 ?
"Some passing OpenDMARC" might mean that they pass SPF-based only.
true if using fo=1
--
Regards,
Noel Butler
This Email, including attachments, may
On 11/11/2023 21:28, Dino Edwards wrote:
You can't do that. OpenDMARC needs to see Authentication-Results for
DKIM.
It looks like you might be on to something. The e-mails that pass have
a p=none and the e-mails that fail have a p=reject. So, I need to setup
amavis as a milter in Postfix
On 11/11/2023 20:44, Dino Edwards wrote:
I've seen no problems with mail from MS, so how about you elaborate on
your problems and what version of OD are you using?
Here's the exact issue that I just ran into with o365 mail and note
this issue was reported 3 years ago. No fix yet.
> You can't do that. OpenDMARC needs to see Authentication-Results for DKIM.
It looks like you might be on to something. The e-mails that pass have a p=none
and the e-mails that fail have a p=reject. So, I need to setup amavis as a
milter in Postfix instead of a content_filter that I have
> I've seen no problems with mail from MS, so how about you elaborate on your
> problems and what version of OD are you using?
Here’s the exact issue that I just ran into with o365 mail and note this issue
was reported 3 years ago. No fix yet.
So Amavis is setup as an smtpd_milter as well?
No, Amavis is setup as a content_filter (content_filter =
amavis:[127.0.0.1]:10021)
You can't do that. OpenDMARC needs to see Authentication-Results for DKIM.
OpenDMARC is setup as a smtpd_milter in Postfix.
So Amavis is setup as an smtpd_milter as well?
Can someone maybe shed some light on why this would be happening
or is there a different way to handle DMARC?
On 11/11/2023 05:04, Damian wrote:
Do you see DKIM-related Authentication-Results
> So Amavis is setup as an smtpd_milter as well?
No, Amavis is setup as a content_filter (content_filter =
amavis:[127.0.0.1]:10021)
> Do you see DKIM-related Authentication-Results headers in incoming mails?
Yes, please see below at an example e-mail from gmail:
Authentication-Results:
Also, since they allude to "some passing", I guess they did remember to set
enable_dkim_verification=1 ?
"Some passing OpenDMARC" might mean that they pass SPF-based only.
On 11/11/2023 05:04, Damian wrote:
OpenDMARC is setup as a smtpd_milter in Postfix.
So Amavis is setup as an smtpd_milter as well?
Can someone maybe shed some light on why this would be happening or is
there a different way to handle DMARC?
Do you see DKIM-related Authentication-Results
On 11/11/2023 00:34, Dino Edwards wrote:
Hello,
In the past I used OpenDKIM to sign and verify DKIM signatures. However
considering the fact that it hasn't been updated in a very long time
and constant issues with e-mails from O365 senders,
Thanks in advance.
The fact a program hasn't
OpenDMARC is setup as a smtpd_milter in Postfix.
So Amavis is setup as an smtpd_milter as well?
Can someone maybe shed some light on why this would be happening or is there a
different way to handle DMARC?
Do you see DKIM-related Authentication-Results headers in incoming mails?
45 matches
Mail list logo
