[dmarc-discuss] DMARC Successful Mail Delivery Reports

Over the last few days I've gotten a number of bounces like this, all from AOL: Return-Path: Received: from imb-d04.mx.aol.com (imb-d04.mx.aol.com [205.188.128.65]) by qs3710.pair.com (Postfix) with ESMTPS id 51A76125427 for i...@kitterman.com; Sun, 11 May 2014 13:05:39 -0400

Re: [dmarc-discuss] DMARC Successful Mail Delivery Reports

and should stop, seems you should move your domain to p=reject to avoid that these spoofed emails get delivered to aol users and others... Printed on recycled paper! On May 11, 2014, at 19:34, Scott Kitterman via dmarc-discuss dmarc-discuss@dmarc.org wrote: Over the last few days I've

Re: [dmarc-discuss] DMARC Successful Mail Delivery Reports

Look at the ruf= address and where it was sent. No. Not what I requested. Scott K On Monday, May 12, 2014 11:07:59 you wrote: You have p=none and ruf= turned on, AOL's doing exactly what you've requested. - Roland On 05/12/2014 10:25 AM, Scott Kitterman via dmarc-discuss wrote: Over

Re: [dmarc-discuss] MLM and Header-From rewritting - the SMTPopen-relay analogy

On Saturday, June 07, 2014 16:33:14 Dave Crocker via dmarc-discuss wrote: ... We need to find a way to get objective and comparable information about this. ... If only DMARC had a mechanism for providing feedback so that people could measure this and provide data. ;-) Scott K

Re: [dmarc-discuss] MLM and Header-From rewritting - the SMTPopen-relay analogy

On Saturday, June 07, 2014 17:00:25 Dave Crocker wrote: On 6/7/2014 4:56 PM, Scott Kitterman via dmarc-discuss wrote: If only DMARC had a mechanism for providing feedback so that people could measure this and provide data. ;-) I'm pretty sure it isn't my jet lag that's causing me to miss

Re: [dmarc-discuss] Unauthenticated emails being delivered to Google

On Friday, August 01, 2014 08:09:53 Anders Wegge Keller via dmarc-discuss wrote: On Thu, 31 Jul 2014 22:31:36 + Norman, Jean Marie via dmarc-discuss dmarc-discuss@dmarc.org wrote: Has anyone experienced unauthenticated emails being delivered to Google recipients despite having a DMARC

Re: [dmarc-discuss] Unauthenticated emails being delivered to Google

On August 1, 2014 7:03:03 AM EDT, Anders Wegge Keller via dmarc-discuss dmarc-discuss@dmarc.org wrote: On Fri, 01 Aug 2014 06:40:29 -0400 Scott Kitterman via dmarc-discuss dmarc-discuss@dmarc.org wrote: On Friday, August 01, 2014 10:46:08 Anders Wegge Keller via dmarc-discuss wrote: Also

Re: [dmarc-discuss] AOL MX server don't support 8BITMIME

I'd like to highlight this as an example of what I think is a great value in this list. The ability of operators to have an open dialog about their mail operations and how it impacts interoperability is a wonderful thing. I wish there was more of it. Scott K On Wednesday, August 06, 2014

Re: [dmarc-discuss] Fwd: [dmarc-ietf] draft-kucherawy-dmarc-base-04 issue

On August 30, 2014 7:26:19 PM EDT, John Levine jo...@taugh.com wrote: Does anyone who's implemented fo have a problem with both 0 and 1 being specified? If it is somehow problematic, then the base spec ought to say so. I don't understand what fo=1 is supposed to mean. If there's no SPF record

Re: [dmarc-discuss] Fwd: [dmarc-ietf] draft-kucherawy-dmarc-base-04 issue

On September 1, 2014 12:50:04 PM EDT, John Levine jo...@taugh.com wrote: I don't understand what fo=1 is supposed to mean. .. The ambiguity for me is between SPF or DKIM failed and no SPF or DKIM at all. As I read it, it probably means failure, but maybe it means something else. I think for

[dmarc-discuss] Yahoo! DKIM Signing Practices Produce Fragile Signatures

With obvious implications for DMARC failures. See the postfix-users thread that starts here: http://archives.neohapsis.com/archives/postfix/2014-10/0138.html It would be helpful if Yahoo! were to dial this back a bit and stick with the recommended fields to sign (i.e. drop Received and

Re: [dmarc-discuss] Yahoo! DKIM Signing Practices Produce Fragile Signatures

Postfix removes it. Scott K On Monday, October 06, 2014 18:32:43 Murray Kucherawy via dmarc-discuss wrote: I get Received:, but why would Content-Length change in-flight? -MSK On 10/6/14, 11:01 AM, Scott Kitterman via dmarc-discuss dmarc-discuss@dmarc.org wrote: With obvious

Re: [dmarc-discuss] Postfix 2.11.2 test

On October 16, 2014 9:20:07 PM EDT, Benny Pedersen via dmarc-discuss dmarc-discuss@dmarc.org wrote: Just to test how bad it is now, is there more errors now that postfix milter is resolved ? I have still problem with opendkim when rebooting after running a day, if i just reboot after 10 mins

[dmarc-discuss] Issues with Google Authentication Results header fields

While not directly DMARC, AR fields can serve as an input for DMARC processing, so I think it's generally worth getting right. I was checking a recent SPF change relevant to one of my serves, so I found myself looking at this: Authentication-Results: mx.google.com; spf=pass (google.com:

[dmarc-discuss] mail.ru DMARC processing issue

I've been reviewing some DMARC failures reported in data from mail.ru. In this case the From domain is a subdomain of the main company domain (e.g. sub.example.com), the DKIM signature is d= the main company domain (e.g. example.com), and the DMARC record is the org domain record as well

Re: [dmarc-discuss] what is SPF-DNS?

On Wednesday, June 24, 2015 11:17:38 AM Tomki Camp via dmarc-discuss wrote: in 7.3.1 there is a required entry ‘SPF-DNS’, for which I can’t find any definition reference. https://datatracker.ietf.org/doc/rfc7489/?include_text=1 It's defined in RFC 6591, Section 3.2.6. Scott K

Re: [dmarc-discuss] A bit quiet?

On October 22, 2015 1:19:51 PM EDT, Franck Martin via dmarc-discuss wrote: >The fun is moving to ARC > >https://dmarc.org/2015/10/global-mailbox-providers-deploying-dmarc-to-protect-users/ > How does that actually help? At least as I read the draft, anyone can make up

Re: [dmarc-discuss] A bit quiet?

On October 26, 2015 9:12:17 AM EDT, Roland Turner via dmarc-discuss wrote: >Scott Kitterman wrote: ... snipped down to one bit as we seem to mostly be going around in circles ... >> As a domain owner, I can control what sources of mail are able to >> generate mail that

Re: [dmarc-discuss] A bit quiet?

On October 23, 2015 2:10:26 PM EDT, "J. Gomez via dmarc-discuss" <dmarc-discuss@dmarc.org> wrote: >On Friday, October 23, 2015 4:07 PM, Scott Kitterman via dmarc-discuss >wrote: > >> On October 23, 2015 1:48:13 AM EDT, Roland Turner via dmarc-discuss >

Re: [dmarc-discuss] A bit quiet?

On Monday, October 26, 2015 06:47:33 AM Roland Turner via dmarc-discuss wrote: > Scott Kitterman wrote: > > On October 23, 2015 1:48:13 AM EDT, Roland Turner via dmarc-discuss wrote: > >>The question is not who you trust - ARC doesn't directly change that - > >>but how

Re: [dmarc-discuss] A bit quiet?

here.com > > > >____________ >From: dmarc-discuss <dmarc-discuss-boun...@dmarc.org> on behalf of >Scott Kitterman via dmarc-discuss <dmarc-discuss@dmarc.org> >Sent: Friday, 23 October 2015 04:44 >To: dmarc-discuss@dmarc.org >Subje

Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions

To start with, you'll have to explain why receivers should trust a sender to not lie about where they got the mail from in an ARC header field if they don't already trust the sender. Scott K On Sunday, February 07, 2016 11:14:12 AM Franck Martin via dmarc-discuss wrote: > ARC will help, but

Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions

On Sunday, February 07, 2016 08:25:13 PM John Levine wrote: > In article <2049568.4HsipfqAXp@kitterma-e6430> you write: > >To start with, you'll have to explain why receivers should trust a sender > >to not lie about where they got the mail from in an ARC header field if > >they don't already

Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions

On Friday, February 12, 2016 05:11:34 AM Roland Turner via dmarc-discuss wrote: > John Levine wrote: > >>> So I hear what you're saying, but it doesn't change my mind. I guess if > >>> the large providers think this is useful, then meh, OK, > >> > >> That would be the guys who receive more than

Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions

On Wednesday, February 10, 2016 07:17:31 AM Roland Turner via dmarc-discuss wrote: > Scott, > > You're [still!] confusing multiple conceptions of trust, including at least: > > 1) trust in the intention and ability of multiple upstream forwarders to > ARC-sign correctly, > 2) trust in the lack

Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions

On Monday, February 15, 2016 07:27:21 AM Roland Turner via dmarc-discuss wrote: > Scott Kitterman wrote: > > It would be nice if we didn't design standards that only worked at a > > certain scale. "You must be this tall to ride" worries me. > > There's nothing about ARC that is scale-specific,

Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions

That's a totally different class of problem. Any competent sysadmin with some time can maintain a CMS based web site (e.g. Wordpress). The fact that so many are not competently managed is a function of capability and willingness to do a little work, not a function of inadequate scale. Also,

Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions

discuss@dmarc.org> wrote: > > ARC purpose is to say when DMARC fail and the email should be rejected > > that it is ok to let it through. As such there is no scale problem and > > anyone can do it. > > > > If email is your core business, then complaining you have to d

Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions

On Tuesday, February 16, 2016 06:02:31 AM Roland Turner via dmarc-discuss wrote: > Scott Kitterman wrote: > >> Roland Turner wrote: > >> > >> This is just a diffusion process, not an exclusion of smaller players. > >> Indeed, it would almost appear that you'd be happier if the big guys had > >>

Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions

On Tuesday, February 16, 2016 06:17:27 AM Roland Turner via dmarc-discuss wrote: > Scott Kitterman wrote: > > To > > the extent ARC is useful to mitigate the DMARC mailing list issue, it's > > only useful with additional data inputs that are not public and are not > > feasible for small providers

Re: [dmarc-discuss] DMARC and null path

There is a subtle distinction involved here. RFC 7208 (and RFC 4408 before it) don't literally say to use RFC5321.Helo if RFC5321.Mailfrom is null. What they say to to construct a MailFrom using postmas...@rfc5321.helo. That's the difference between RFC5321.Mailfrom and RFC7208/4408.Mailfrom

Re: [dmarc-discuss] DMARC and null path

On May 13, 2016 4:56:40 PM EDT, "A. Schulze via dmarc-discuss" wrote: > > >Am 13.05.2016 um 22:35 schrieb Terry Zink via dmarc-discuss: >> In Office 365 it would. Others' implementations may vary. > >"may or may not" - is that really the intention of DMARC? I think

[dmarc-discuss] Getting to reject, was :Re: FortiNet’s FortiMail DMARC implementation

On November 14, 2016 2:42:42 PM EST, Terry Zink via dmarc-discuss wrote: >> Well, DMARC addresses one particular vector - we still need to find >more effective ways >> to address cousin domains, display name abuse, etc. > >I didn't mean cousin domains, I mean domains

Re: [dmarc-discuss] DMARC fail for our subdomains, why?

On Thursday, March 23, 2017 03:31:14 PM Peter Olsson via dmarc-discuss wrote: ... > MD.se. TXT "v=spf1 ip4:X ip4:X ip4:X ip4:X ip4:X/24 ip4:X/24 ip4:X ip6:X > ip6:X ip6:X include:X -all" ... Is md.se the actual domain? I don't see a TXT record in DNS. $ dig -x md.se ; <<>> DiG 9.9.5 <<>> -x

[dmarc-discuss] DMARC Reporting De-duplication

I participate in a lot of mailing lists many of which that have a large number of subscribers. As a result, when I send a single message to a mailing list, many copies of the same message get sent to users at large mail providers. These get counted as individual messages in aggregate

[dmarc-discuss] Multiple DKIM Signature Reporting in DMARC

As most of you already know, the DCRUP working group is adding a new signature algorithm to DKIM. I have been sending dual rsa-sha256/ed25519-sha256 signed mail for some time and I have notice an oddity in DMARC reporting. Typically, I'll see something like this XML snippet:

Re: [dmarc-discuss] Multiple DKIM Signature Reporting in DMARC

On Sunday, April 22, 2018 02:12:33 PM Roland Turner via dmarc-discuss wrote: > On 21/04/18 05:36, Scott Kitterman via dmarc-discuss wrote: > > As most of you already know, the DCRUP working group is adding a new > > signature algorithm to DKIM. I have been sending dual > &g

Re: [dmarc-discuss] "p=none" vs. "p=quarantine; pct=0"

On October 9, 2018 10:37:49 PM UTC, John Levine via dmarc-discuss wrote: >In article <24dd5bc1-ca89-473c-9d11-cb712504c...@akamai.com> you write: >>p=none -> “we’re trying to figure out if we’re going to be able to go >to p=quarantine” >> >>If you treat quarantine differently than none, you’re

Re: [dmarc-discuss] Substituted Source IP question

This is why DMARC uses an 'or' vice 'and' test between aligned DKIM and SPF results. There are cases where on fails and the other succeeds, so overall the reliability is higher if you do both. Scott K On November 18, 2018 1:02:48 PM UTC, Edward Siewick via dmarc-discuss wrote: >Thanks

Re: [dmarc-discuss] DMARC and SPF Failures

On February 21, 2020 4:46:32 PM UTC, Marisa Clardy via dmarc-discuss wrote: >Hello, > >This may have already been discussed before, but I couldn't find >anything >about it. > >In our organization, we provide mail filtering for customers. We had >SPF >failures being rejected for a long time,

Re: [dmarc-discuss] DMARC vs DKIM keys with s=mtasts

On Sunday, March 29, 2020 4:03:42 PM EDT John R Levine via dmarc-discuss wrote: ... > The C libopendkim and perl Mail::DKIM libraries have hard-coded tests for > 'email' or '*'. Python dkimpy has a kludge that accepts 'tlsrpt' along > with the other two. None of them have a way to say to look

Re: [dmarc-discuss] DMARC vs DKIM keys with s=mtasts

On March 29, 2020 10:36:50 PM UTC, John Levine wrote: >In article <3074162.RNaZIRUnTP@l5580> you write: >>RFC 6376, Section 3.6.1, in the s= paragraphs says: >> >>> * matches all service types >> >>If libopendkim and Mail::DKIM are looking for a literal '*' as the >service >>type, rather

Re: [dmarc-discuss] Problems with settings DMARC

On May 25, 2020 12:33:45 AM UTC, Figo Morales via dmarc-discuss wrote: >I keep getting this message from my crons job: > >DMARC failure to load tld list >'/usr/share/publicsuffix/public_suffix_list.dat': No such file or >directory > >Any help is welcome. If you are using Debian or a Debian

Re: [dmarc-discuss] Heterogeneity in handling non-OD inputs among web-based DMARC checking tools

On Thursday, December 30, 2021 3:24:43 PM EST su...@banbreach.com via dmarc- discuss wrote: > On Friday, December 31, 2021 00:05 IST, Scott Kitterman via dmarc-discuss wrote: > > On Thursday, December 30, 2021 1:02:33 PM EST su...@banbreach.com via > > dmarc-> > >

Re: [dmarc-discuss] Heterogeneity in handling non-OD inputs among web-based DMARC checking tools

On Thursday, December 30, 2021 1:02:33 PM EST su...@banbreach.com via dmarc- discuss wrote: > On Thursday, December 30, 2021 18:40 IST, Alessandro Vesely via dmarc- discuss wrote: > > gov.in isn't listed in http://psddmarc.org/registry.html > > Thanks. I believe my question was not entirely