Re: [dmarc-discuss] Suggested DMARC policy for PEC (Italian certified e-mail)

2018-02-22 Thread Denis Salicetti via dmarc-discuss 
Hi guys,
I think I can consider both suggestions, but I need to know whether what I
think is a good solution.

As I already said I set up SPF, DKIM and DMARC for salicetti.it (Google is
the standard email provider) and the actual policy is (sp=reject; p=reject).

PEC email provider (obviously is not Google but another one certified by
the government) told me that I can set up SPF record for sub-domain
pec.salicetti.it but no DKIM.

Said that I've been thinking to proceed that way:

   1. keep for salicetti.it (sp=reject; p=reject) to preserve sub-domains
   close and safe.
   2. publish an explicit record SPF for pec.salicetti.it as suggested by
   PEC email provider (v=spf1 include:pec.spf.kqi.it -all).
   3. publish an explicit record DMARC for pec.salicetti.it (v=DMARC1;
   p=reject; pct=100; fo=1; rua=x...@zzz.yy; ruf=x...@zzz.yy;).

Is this a good solution? More suggestions?

*Denis Salicetti *

2018-02-15 16:47 GMT+01:00 Al Iverson via dmarc-discuss <
dmarc-discuss@dmarc.org>:

> On the flip side of that, you might want to consider implementing p=reject
> on the PEC sub-domain, since perhaps you don't want to deliver mail
> claiming to be PEC mail if authentication fails. Wouldn't the three primary
> reasons for DMARC failure be, DKIM signature mangling, email forwarding, or
> spoofing? Only one of those (email forwarding) are likely to be legit/safe
> messages.
>
> Cheers,
> Al Iverson
>
> On Thu, Feb 15, 2018 at 9:40 AM, Todd Weltz via dmarc-discuss <
> dmarc-discuss@dmarc.org> wrote:
>
>> Hi Denis,
>>
>> For now, rather than leaving all sub-domains open, I would recommend
>> publishing an explicit record for pec.salicetti.it with a p=none and
>> setting salicetti.it back to sp=reject.  This will put the reject policy
>> back in place for all other potential sub-domains, but the explicit record
>> for pec.salicetti.it will mean that it will not inherit the sub-domain
>> policy from salicetti.it
>>
>> It sounds like deliverability is absolutely critical on these messages so
>> possibly you wouldn't move forward with a stronger DMARC policy on this
>> sub-domain.  But potentially you could check with the Certified Email
>> Provider to see if they have options to authenticate the mail.
>>
>> Regards,
>> Todd Weltz
>>
>> On Thu, Feb 15, 2018 at 9:02 AM, Denis Salicetti via dmarc-discuss <
>> dmarc-discuss@dmarc.org> wrote:
>>
>>> Hi,
>>> I need a suggestion about a particular thing.
>>>
>>> In Italy, there is a "special" type of e-mail called PEC (certified
>>> e-mail). This is the equivalent of a traditional registered mail with
>>> return receipt. It is mandatory for all companies (legal stuff between them
>>> or government). Basically, you get an electronic receipt every time a
>>> message has been received by recipient's domain server (as a proof that you
>>> got the message). More info here: https://en.wikipedia.org/wiki/
>>> Certified_email
>>>
>>> The address format must be em...@pec.domain.it
>>>
>>> I always used this configuration for salicetti.it (sp=reject; p=reject)
>>> with no problem, but now I have to decide what to do for
>>> pec.salicetti.it. For the moment I've changed it with (sp=none;
>>> p=reject).
>>>
>>> Said that I would like to know how to setup correctly DMARC policy for
>>> this subdomain (pro and con). What do you suggest? Did any Italian members
>>> of this list do that so far?
>>>
>>> I'm looking forward to your kind reply.
>>>
>>> Best regards.
>>>
>>> Denis Salicetti
>>>
>>> ___
>>> dmarc-discuss mailing list
>>> dmarc-discuss@dmarc.org
>>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>>
>>> NOTE: Participating in this list means you agree to the DMARC Note Well
>>> terms (http://www.dmarc.org/note_well.html)
>>>
>>
>>
>>
>> --
>> Todd Weltz, Customer Success Engineer
>> twe...@agari.com  l M: 416.471.8633 <(416)%20471-8633> l www.agari.com
>> Changing Email Security For Good
>>
>> ___
>> dmarc-discuss mailing list
>> dmarc-discuss@dmarc.org
>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>
>> NOTE: Participating in this list means you agree to the DMARC Note Well
>> terms (http://www.dmarc.org/note_well.html)
>>
>
>
>
> --
> al iverson // wombatmail // miami
> http://www.aliverson.com
> http://www.spamresource.com
>
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
>
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] DMARC report to external domain

2018-02-22 Thread Randal Pinto via dmarc-discuss 
Yes, you can have as many domains as you want reporting to that domain.

Randal 

> On 22 Feb 2018, at 01:24,  
>  wrote:
> 
> Sorry, typo.
>  
> domain1.com._report._dmarc.domain3.com. TXT "v=DMARC1"
> domain2.com._report._dmarc.domain3.com. TXT "v=DMARC1"
>  
>  
> 
>  
> Thanks.
>  
> Regards,
> YEo
>  
> From: Yeo Boon Hai (IFMY IT OS IUC M) 
> Sent: Thursday, 22 February, 2018 9:23 AM
> To: 'Randal Pinto' ; Vladimir Dubrovin 
> 
> Cc: dmarc-discuss@dmarc.org
> Subject: RE: [dmarc-discuss] DMARC report to external domain
>  
> Hi all,
>  
> Thank you for the sample.
> If I have more than 1 domains that need to send to same domain admin so can I 
> have multiple entries like below?
>  
> domain1.com._report._dmarc.domain2.com. TXT "v=DMARC1"
> domain2.com._report._dmarc.domain2.com. TXT "v=DMARC1"
>  
>  
> 
>  
> Thanks.
>  
> Regards,
> Yeo
>  
>  
> From: Randal Pinto [mailto:ran...@redsift.io] 
> Sent: Wednesday, 21 February, 2018 6:40 PM
> To: Vladimir Dubrovin 
> Cc: Yeo Boon Hai (IFMY IT OS IUC M) ; 
> dmarc-discuss@dmarc.org
> Subject: Re: [dmarc-discuss] DMARC report to external domain
>  
> You are correct Vladimir, I got the numbering incorrectly when trying to 
> craft the example.
>  
> On 21 February 2018 at 10:07, Vladimir Dubrovin  wrote:
> 
> It's incorrect. If you want reports for domain1.com are sent to e-mail 
> address in domain2.com, domain2.com must publish a record
> 
> domain1.com._report._dmarc.domain2.com. TXT "v=DMARC1"
> 
> to indicate it's willing to receive the reports for domain1.com
>  
> 
> 
> 21.02.2018 12:51, Randal Pinto via dmarc-discuss пишет:
> Hello Yeo,
>  
> If you want domain1.com to report to domain2.com you have to add the 
> following DNS entry to domain1.com:
>  
> Name: domain2.com._report._dmarc
> Value: "v=DMARC1;"
>  
> This will authorise domain2.com to receive DMARC reports on behalf of 
> domain1.com
>  
> Best,
> Randal
>  
>  
> On 21 February 2018 at 09:29, Yeo via dmarc-discuss  
> wrote:
> Hi all,
>  
> I would like to change the DMARC report to my another domain IT support to 
> check.
> After I changed, I noticed it failed the DMARC external validation. L
>  
> When a report generator has an aggregate report to send to example.com, it 
> will consult example.com‘s DMARC record and extract the address above. Since 
> the domain in that address is not example.com or its organizational domain, 
> it would have to make an authorization check first. It would take that domain 
> the report is for (example.com), and the domain that the rua field references 
> (otherdomain.com), and construct a new name like this:
>  
> “example.com._report._dmarc.otherdomain.com”
>  
> May I know how to create the this DNS record? Any sample?
>  
> Thanks.
>  
> Regards,
> Yeo
>  
> 
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
> 
> NOTE: Participating in this list means you agree to the DMARC Note Well terms 
> (http://www.dmarc.org/note_well.html)
> 
> 
>  
> --
> Randal Pinto
> Founder & COO
> +447703108205
> @randalpinto
>  
> Red Sift powers OnDMARC
> 5th Floor, 43 Whitfield Street, W1T 4HD, London, UK.
>  
> News: OnDMARC wins Cyber Security Start-Up of the Year | OnDMARC joins 
> G-Cloud 9
>  
> 
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>  
> NOTE: Participating in this list means you agree to the DMARC Note Well terms 
> (http://www.dmarc.org/note_well.html)
>  
> 
> -- 
> Vladimir Dubrovin
> @Mail.Ru
> 
> 
>  
> --
> Randal Pinto
> Founder & COO
> +447703108205
> @randalpinto
>  
> Red Sift powers OnDMARC
> 5th Floor, 43 Whitfield Street, W1T 4HD, London, UK.
>  
> News: OnDMARC wins Cyber Security Start-Up of the Year | OnDMARC joins 
> G-Cloud 9
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)