n the numbers. It also means that users don’t benefit
from forensics, Microsoft being one of a few who support this part of the spec.
Best,
Randal
> On 24 Apr 2018, at 06:53, Terry Zink via dmarc-discuss
> <dmarc-discuss@dmarc.org> wrote:
>
> Okay, when I say "internal
tz...@microsoft.com>; dmarc-discuss@dmarc.org
Subject: [EXTERNAL] Re: [dmarc-discuss] Mimecast and Office 365
On 24/04/18 00:51, Terry Zink via dmarc-discuss wrote:
> > Failure reporting seems odd (because it's always legitimate) until
> > you recall that part of the purpose of fai
enant, but would be
important for messages that were automatically forwarded elsewhere.)
- Roland
On 23/04/18 12:55, Terry Zink via dmarc-discuss wrote:
>> 3. Would O365 do DMARC checks for internal emails ie.
>> O365 tenant employee to another O365 tenant employee?
>> And would i
>> 3. Would O365 do DMARC checks for internal emails ie.
>> O365 tenant employee to another O365 tenant employee?
>> And would it send DMARC reports in this case?
I didn’t see this answered, so answering it now.
Office 365 doesn’t do DMARC checks for internal emails since they don’t leave
the
I'm not sure I follow what the problem is.
AFAIK, we send NDRs from postmaster@ and then use the customer's default
domain. Most customers have this set to *.onmicrosoft.com which they get when
they sign up for the service, and then some flip it to their custom domain. All
domains are signed
You could simplify it down to remove the subdomain policy:
"v=DMARC1; p=reject; rua=<...>; fo=1;"
This means that all subdomains will inherit the organizational domain's
p=reject. You would only set up DKIM or SPF for the subdomain if you want to
send email from it and not fail DMARC.
--Terry
It's almost definitely an anti-phishing setting.
In my experience, domains sit on p=none for a long time, and in the meantime a
lot of other senders send email as them - most legitimate but some malicious.
This setting is designed to catch the malicious.
So, either (a) you rely upon DMARC
Could this be simplified further:
a01.com IN TXT "v=spf1 -all"
_dmarc.a01.com IN TXT "v=DMARC1\; p=reject"
If the domain never sends email, I don’t particularly care to receive reports.
I guess the argument is that it may be interesting to see who is sending email
as this parked domain.
> Somewhat related (to my earlier post) - are there any _enterprises_ on this
> list that have
> experience or are currently attempting to either go p=reject or enforce DMARC
> policies inbound?
I just wrote one for Microsoft:
mailboxes there is no SendOnBehalfOf in the GUI, has to be set using
powershell.
We use it since we came from Lotus Notes, and are used to it from there. So it
is almost considered legacy.
-Oprindelig meddelelse-
Fra: dmarc-discuss [mailto:dmarc-discuss-boun...@dmarc.org] På vegne af Terry
Zi
In Office 365 it would. Others' implementations may vary.
-- Terry
-Original Message-
From: dmarc-discuss [mailto:dmarc-discuss-boun...@dmarc.org] On Behalf Of A.
Schulze via dmarc-discuss
Sent: Friday, May 13, 2016 1:23 PM
To: dmarc-discuss@dmarc.org
Subject: Re: [dmarc-discuss] DMARC
This is not related to DMARC.
This is related to our on-prem/hybrid customer base who send email this way:
On-prem --> Office 365 --> Internet
Suppose I want to relay email through the service, and let's suppose I have
provisioned the following domains with Office 365:
1. contoso.com
2.
You don't need to set up both; if one or the other passes, it will pass DMARC.
If SPF fails or doesn't exist, AND DKIM fails or doesn't exist, then DMARC will
fail and will take the action in the p=policy published in the DMARC record
(unless the receiver overrides it with a local rule).
Here's a simple use case for a spear-phisher where DMARC could be effective
on the inbound:
1. Phisher targets a specific exec at bigbank.com
2. Phisher sends fake FedEx tracking email from fedex.com (p=reject) to
exec's admin with a note from exec for admin to track a shipment that has
Doesn’t this come back to the whitelist idea? For the green bar SSL certs
(Extended Validation), the certs have a bunch of information encoded in it, and
the browsers have a list of CA’s that they trust. AFAIK, the only way to do
that for email is through DKIM but you wouldn’t highlight all
Franck,
See the end of the email, where I argued this case... and It is hard to create
a club and define the entry level which is open to all, provided they meet
some requirements.
Yes, it is difficult and I think it's one of the biggest barriers to getting a
common solution for trusted
16 matches
Mail list logo
