Re: [dmarc-discuss] [Newbie warning] Both spf and dkim?
Thank you everybody for your fast and clear answers. I've understood why I should wait for dkim while reading the reports... Carlos Pantelides @dev4sec seguridad-agile.blogspot.com El Miércoles, 12 de agosto, 2015 15:34:00, Tim Draegen t...@eudaemon.net escribió: Hi Carlos, it might help to flip the perspective around to receivers. Receivers are looking for any positive signal that a piece of email can be connected to a domain. If that signal is due to SPF, great. If that signal is due to DKIM, that's great too. If both SPF and DKIM provide signals, great++. Having both SPF and DKIM in play for a piece of email increases its chances of being connected to a domain. If for some reason SPF goes bad, maybe DKIM still works. And vice-versa. You do NOT have to have SPF and DKIM in place to publish p=reject or p=quarantine. People do this today for domains that they know do not send email at all. In those cases SPF and DKIM will always fail to provide a positive signal. I hope the above help, -= Tim On Aug 12, 2015, at 1:46 PM, Carlos P via dmarc-discuss dmarc-discuss@dmarc.org wrote: Hello, I am new to DMARC and have a question: It is necesary to setup both SPF and DKIM in order to quarantine or reject. I can not tell that from the RFC[1] neither searching this list, but there are some other places [2][3] that say so. Is not finding a DKIM or SPF record considered a failure by itself when p!=none? If so, I would like to know the rationale behind. Is it to make it a little more resilient to small and trascient mistakes? Thank you [1] http://tools.ietf.org/html/rfc7489 2. Receivers compare the RFC5322.From address in the mail to the SPF and DKIM results, if present, and the DMARC policy in DNS. later Identifier Alignment: When the domain in the RFC5322.From address matches a domain validated by SPF or DKIM (or both), it has Identifier Alignment [2] https://support.google.com/a/answer/2466563 Important: Before creating a DMARC record for your Google Apps domain, you must first set up DKIM authentication. If you fail to set up DKIM first, email from services such as Google Calendar will fail mail authentication and will not be delivered to users. [3] http://blog.endpoint.com/2014/04/spf-dkim-and-dmarc-brief-explanation.html DMARC can (and will) break your mail flow if you don't set up both SPF and DKIM before changing DMARC policy to anything above 'none'. -- Carlos Pantelides @dev4sec seguridad-agile.blogspot.com ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html) ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] [Newbie warning] Both spf and dkim?
DKIM fails for 0.5% of cases when it should not fail, cause the protocol is really complex and until DMARC such bugs were hard to find... SPF is an easy protocol, not many bugs... however does not work with DMARC when forwarding emails (the aligned part that is). So for p=none you don't need to do SPF and DKIM, collect the reports... for p=quarantine and p=reject, implementing DKIM only could be ok, if you are ok with the number of fails that SPF could have saved. On Wed, Aug 12, 2015 at 10:46 AM, Carlos P via dmarc-discuss dmarc-discuss@dmarc.org wrote: Hello, I am new to DMARC and have a question: It is necesary to setup both SPF and DKIM in order to quarantine or reject. I can not tell that from the RFC[1] neither searching this list, but there are some other places [2][3] that say so. Is not finding a DKIM or SPF record considered a failure by itself when p!=none? If so, I would like to know the rationale behind. Is it to make it a little more resilient to small and trascient mistakes? Thank you [1] http://tools.ietf.org/html/rfc7489 2. Receivers compare the RFC5322.From address in the mail to the SPF and DKIM results, if present, and the DMARC policy in DNS. later Identifier Alignment: When the domain in the RFC5322.From address matches a domain validated by SPF or DKIM (or both), it has Identifier Alignment [2] https://support.google.com/a/answer/2466563 Important: Before creating a DMARC record for your Google Apps domain, you must first set up DKIM authentication. If you fail to set up DKIM first, email from services such as Google Calendar will fail mail authentication and will not be delivered to users. [3] http://blog.endpoint.com/2014/04/spf-dkim-and-dmarc-brief-explanation.html DMARC can (and will) break your mail flow if you don't set up both SPF and DKIM before changing DMARC policy to anything above 'none'. -- Carlos Pantelides @dev4sec seguridad-agile.blogspot.com ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html) ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] [Newbie warning] Both spf and dkim?
Hi Carlos, it might help to flip the perspective around to receivers. Receivers are looking for any positive signal that a piece of email can be connected to a domain. If that signal is due to SPF, great. If that signal is due to DKIM, that's great too. If both SPF and DKIM provide signals, great++. Having both SPF and DKIM in play for a piece of email increases its chances of being connected to a domain. If for some reason SPF goes bad, maybe DKIM still works. And vice-versa. You do NOT have to have SPF and DKIM in place to publish p=reject or p=quarantine. People do this today for domains that they know do not send email at all. In those cases SPF and DKIM will always fail to provide a positive signal. I hope the above help, -= Tim On Aug 12, 2015, at 1:46 PM, Carlos P via dmarc-discuss dmarc-discuss@dmarc.org wrote: Hello, I am new to DMARC and have a question: It is necesary to setup both SPF and DKIM in order to quarantine or reject. I can not tell that from the RFC[1] neither searching this list, but there are some other places [2][3] that say so. Is not finding a DKIM or SPF record considered a failure by itself when p!=none? If so, I would like to know the rationale behind. Is it to make it a little more resilient to small and trascient mistakes? Thank you [1] http://tools.ietf.org/html/rfc7489 2. Receivers compare the RFC5322.From address in the mail to the SPF and DKIM results, if present, and the DMARC policy in DNS. later Identifier Alignment: When the domain in the RFC5322.From address matches a domain validated by SPF or DKIM (or both), it has Identifier Alignment [2] https://support.google.com/a/answer/2466563 Important: Before creating a DMARC record for your Google Apps domain, you must first set up DKIM authentication. If you fail to set up DKIM first, email from services such as Google Calendar will fail mail authentication and will not be delivered to users. [3] http://blog.endpoint.com/2014/04/spf-dkim-and-dmarc-brief-explanation.html DMARC can (and will) break your mail flow if you don't set up both SPF and DKIM before changing DMARC policy to anything above 'none'. -- Carlos Pantelides @dev4sec seguridad-agile.blogspot.com ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html) ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] [Newbie warning] Both spf and dkim?
Hi there Carlos - The main reason people say you should have both is that many customers do things completely legitimately (like mail forwarding) that break SPF. Any of those messages that lack DKIM will automatically fail DMARC, and customers will wonder what the heck happened to their mail, which is why it's advised that you should have both SPF and DKIM before moving to a reject or quarantine policy. On Wed, Aug 12, 2015 at 1:46 PM, Carlos P via dmarc-discuss dmarc-discuss@dmarc.org wrote: Hello, I am new to DMARC and have a question: It is necesary to setup both SPF and DKIM in order to quarantine or reject. I can not tell that from the RFC[1] neither searching this list, but there are some other places [2][3] that say so. Is not finding a DKIM or SPF record considered a failure by itself when p!=none? If so, I would like to know the rationale behind. Is it to make it a little more resilient to small and trascient mistakes? Thank you [1] http://tools.ietf.org/html/rfc7489 2. Receivers compare the RFC5322.From address in the mail to the SPF and DKIM results, if present, and the DMARC policy in DNS. later Identifier Alignment: When the domain in the RFC5322.From address matches a domain validated by SPF or DKIM (or both), it has Identifier Alignment [2] https://support.google.com/a/answer/2466563 Important: Before creating a DMARC record for your Google Apps domain, you must first set up DKIM authentication. If you fail to set up DKIM first, email from services such as Google Calendar will fail mail authentication and will not be delivered to users. [3] http://blog.endpoint.com/2014/04/spf-dkim-and-dmarc-brief-explanation.html DMARC can (and will) break your mail flow if you don't set up both SPF and DKIM before changing DMARC policy to anything above 'none'. -- Carlos Pantelides @dev4sec seguridad-agile.blogspot.com ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html) -- PAUL ROCK Principal Programmer/Analyst | AOL Mail P: 703-265-5734 | C: 703-980-8380 AIM: paulsrock 22070 Broderick Dr.| Dulles, VA | 20166-9305 ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] [Newbie warning] Both spf and dkim?
You don't need to set up both; if one or the other passes, it will pass DMARC. If SPF fails or doesn't exist, AND DKIM fails or doesn't exist, then DMARC will fail and will take the action in the p=policy published in the DMARC record (unless the receiver overrides it with a local rule). However, in my experience, if you publish p=quarantine or p=reject, you probably should have both SPF and DKIM set up. The reason is that a lot of mail is forwarded. While it may pass SPF/DKIM/DMARC at the original recipient, it will fail SPF at the forwarded-to recipient. This would fail DMARC unless you also had DKIM. So, you can get away with only SPF or only DKIM with p=none, but going to p=reject/quarantine you should probably have both SPF and DKIM (unless you determine that the forwarded mail problem isn't much volume). -- Terry -Original Message- From: dmarc-discuss [mailto:dmarc-discuss-boun...@dmarc.org] On Behalf Of Carlos P via dmarc-discuss Sent: Wednesday, August 12, 2015 10:47 AM To: dmarc-discuss@dmarc.org Subject: [dmarc-discuss] [Newbie warning] Both spf and dkim? Hello, I am new to DMARC and have a question: It is necesary to setup both SPF and DKIM in order to quarantine or reject. I can not tell that from the RFC[1] neither searching this list, but there are some other places [2][3] that say so. Is not finding a DKIM or SPF record considered a failure by itself when p!=none? If so, I would like to know the rationale behind. Is it to make it a little more resilient to small and trascient mistakes? Thank you [1] http://tools.ietf.org/html/rfc7489 2. Receivers compare the RFC5322.From address in the mail to the SPF and DKIM results, if present, and the DMARC policy in DNS. later Identifier Alignment: When the domain in the RFC5322.From address matches a domain validated by SPF or DKIM (or both), it has Identifier Alignment [2] https://support.google.com/a/answer/2466563 Important: Before creating a DMARC record for your Google Apps domain, you must first set up DKIM authentication. If you fail to set up DKIM first, email from services such as Google Calendar will fail mail authentication and will not be delivered to users. [3] http://blog.endpoint.com/2014/04/spf-dkim-and-dmarc-brief-explanation.html DMARC can (and will) break your mail flow if you don't set up both SPF and DKIM before changing DMARC policy to anything above 'none'. -- Carlos Pantelides @dev4sec seguridad-agile.blogspot.com ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html) ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)