Re: [dmarc-discuss] DMARC woes - forwarding signed / encrypted e-mail

Because, as the situations currently is, DMARC's p=reject is no more than a scoring result to be fed to Spamassassin or whatever milter you use to do further processing. Have any current supporters changed their implementation to work this way? It's pretty clear that's what Gmail is doing,

Re: [dmarc-discuss] About that From: field

There's only a single author posting here now. Just thought I'd mention it. It's definitely broken some functionality I rely on - some of it easily fixable, some not. I thought for sure the archives would have broken, but it doesn't look like it:

Re: [dmarc-discuss] reputation axioms, was DMARC woes

Solutions such as encapsulation of the original message or noting how to recreate the message in a manner that would pass DKIM, or addressing as the site actually sending the message all meet a least work standard that various whitelist proposals all seem to fail as far as I've seen. The

Re: [dmarc-discuss] DMARC thwarted already?

Doesn’t this come back to the whitelist idea? For the green bar SSL certs (Extended Validation), the certs have a bunch of information encoded in it, and the browsers have a list of CA’s that they trust. AFAIK, the only way to do that for email is through DKIM but you wouldn’t highlight all

Re: [dmarc-discuss] DMARC thwarted already?

Actually there is a finite number of look alike domains to any domain that are similar enough to fool someone. Well, technically, that's true since the total number of possible domains is finite, it's 2^2040. But the claim that you can enumerate all of the misleading domains, much less get

Re: [dmarc-discuss] DMARC thwarted already?

Presumably, if VBR is already an RFC, why couldn't DMARC integrate with it? As a large receiver I would never trust a set supplied by the sender, but if I had a handful of locally defined vouching services, then I could use that to bypass a DMARC enforcement in the event that the message passes

Re: [dmarc-discuss] MLM and Header-From rewritting - the SMTP open-relay analogy

I cannot stop thinking that the push-back against MLMs rewriting the Header-From is akin to the push-back of about 28 years ago from some people against the move to consider SMTP open-relays harmful. This is about the fourth time around for this topic. Any chance we could just skip the

Re: [dmarc-discuss] the obvious lookalike attack

A claim that attackers will use work-arounds creates a desire for measuring use of work-arounds... Here's an anecdote: I've been getting a fair amount of spam from what are obviously stolen AOL address books, since I recognize the sender and the other recipients. Now I'm getting the same spam,

Re: [dmarc-discuss] MLM and Header-From rewritting - the SMTPopen-relay analogy

On your most recent message my Mac client says �Unable to verify message signature�. Clicking on �Show details� it says that the certificate is not valid, email address mismatch. Alpine said it was signed, with a note at the bottom about the signing address. Thunderbird said it had no

Re: [dmarc-discuss] a detour into S/MIME, was MLM and Header-From rewriting

If your MUA shows you that this message is signed with a trusted certificate, you're sorted. If you're in the minority (or so I believe) for whom that isn't displayed, then boo; you're one of the few for whom S/MIME signatures as a matter of course would achieve nothing. Gmail: shows the

Re: [dmarc-discuss] On Inbound DMARC Support

As a community promoting DMARC, we have an obligation to champion deployment at both ends - inbound as well as outbound. A first step is to let our vendors know DMARC support is requirement. Um, perhaps they've heard about AOL and Yahoo and have reasonable concerns about losing real mail.

Re: [dmarc-discuss] On Inbound DMARC Support

Nothing personal, but like 99.9% of the people in the world, I care nothing about your brand. Which has no bearing on whether or not inbound DMARC filtering should be considered for corporate infrastructure. The point of DMARC is for mailbox operators to defend their own users. If their users

Re: [dmarc-discuss] gaah, never mind, DMARC rejections on domain with no DMARC record

I went back and found the original message, which contains this gem of a header: From: x...@netscape.net x...@aol.com My scripts that check for DMARC-sensitive addresses got confused. Never mind. R's, John ___ dmarc-discuss mailing list

Re: [dmarc-discuss] Postini rejected by Google

Messages affected seem to be forwards by Postini to Google. In my experience, Postini gushes spam. I can't say I'm very surprised if the rest of Google finally noticed. On my system, anything from Postini goes into a special trap with specific filters that discard or report nearly everything

Re: [dmarc-discuss] Unauthenticated emails being delivered to Google

In article 2dac908dcf71d142afbfd168ac96f9186e8bf...@sw720mbpx065.visa.com you write: -=-=-=-=-=- -=-=-=-=-=- Has anyone experienced unauthenticated emails being delivered to Google recipients despite having a DMARC policy (quarantine or reject) in place? Sure. That's the way Gmail users get

Re: [dmarc-discuss] Unauthenticated emails being delivered to Google

In article 53dad497.4070...@dcrocker.net you write: On 7/31/2014 4:37 PM, Steve Atkins via dmarc-discuss wrote: If you're, for example, a major financial institution there are a couple of things you could do. One would be to talk to Google and others to special case mail from your domain.

Re: [dmarc-discuss] DMARC and mailing lists

Some on this list will argue that update is a wrong word, though. I would certainly agree with that. There's a summary of all the mitigation techniques I know here: http://wiki.asrg.sp.am/wiki/Mitigating_DMARC_damage_to_third_party_mail If I've missed any, drop my a line and I'll send you a

Re: [dmarc-discuss] DMARC and mailing lists

I understand you may not have budgeted upgrades, ... You know, it's kind of Orwellian to redefine upgrade to mean ugly hack to work around damage caused by outsourcing the costs of security problems of large entities with enormous market power. Really, we understand why some providers weighed

Re: [dmarc-discuss] Fwd: [dmarc-ietf] draft-kucherawy-dmarc-base-04 issue

Does anyone who's implemented fo have a problem with both 0 and 1 being specified? If it is somehow problematic, then the base spec ought to say so. I don't understand what fo=1 is supposed to mean. If there's no SPF record at all, are you supposed to generate a report? If there's no DKIM

Re: [dmarc-discuss] Fwd: [dmarc-ietf] draft-kucherawy-dmarc-base-04 issue

I don't understand what fo=1 is supposed to mean. If there's no SPF record at all, are you supposed to generate a report? If there's no DKIM signature at all, same question? Of if there are DKIM signatures, but none of them have a d= that matches the From: address? My reading of the draft says

Re: [dmarc-discuss] Amazon email rejected by OpenDMARC but SPF DKIM are OK

Authentication-Results: icecube.pnzone.net; dmarc=fail header.from=amazon.fr Authentication-Results: icecube.pnzone.net; dkim=pass reason=1024-bit key; unprotected key header.d=amazonses.com header.i=@amazonses.com header.b=BOrJMGL0; dkim-adsp=pass; dkim-atps=neutral The

Re: [dmarc-discuss] Aligning non-identical domain names

Some of my C*O level users, however, are complaining about issues sending email via mobile devices, because they're sent via gateways that don't DKIM sign the mail with livingsocial.com identifiers. There have been some proposals for extra domains for DKIM signatures, such as the ones in RFC

Re: [dmarc-discuss] Aligning non-identical domain names

You will not find me disagreeing with you, although I might use different words than 'configuration issue'. However, I'm pretty sure we're not the only folks in similar situations (consider, from an older thread, netscape.com / aol.com addresses). ... This is a tradeoff between senders and

Re: [dmarc-discuss] dmarc and delegated zones

If I understand you correctly, even though zones don't matter to how I create the records, the zones could be a useful tool for me delegating management of the records. If I have one set of records for example.com in one organization and another set of exhibit records in New Jersey.example.com

Re: [dmarc-discuss] dmarc and delegated zones

Can a delegated zone have its own DKIM, SPF and DMARC records? There's no way to answer this question, because DKIM, SPF, and DMARC have no relationship whatsoever to zone delegations. They're defined in terms of domain names, and zone cuts don't matter. You can put DKIM, SPF, and DMARC records

Re: [dmarc-discuss] amazon.de fail

In article 20150616080608.horde.np0fbkrfk-jumt5krom4...@andreasschulze.de you write: someone from amazon Germany may be interested. Again: I guess it's a legit message from amazon, otherwise let me know ... It looks fine. How does your code pass the DKIM validation results to the DMARC code?

Re: [dmarc-discuss] amazon.de fail

Would be good to hear from Murray if this is the intended use-case for OpenDMARC. In general I know OpenDMARC simply as an A-R header parser. So my assumptions could not be completely wrong... I call the libraries directly, so in my implementation nothing parses A-R headers at all. R's, John

Re: [dmarc-discuss] probably bug in OpenDMARCs AR-header parser

It looks like the OpenDMARCs AR-header parser fail to recognise the AR-header generated by OpenDKIM. It must be more than that. I also use both opendkim and opendmarc, and multiple DKIM signatures are not a problem: Authentication-Results: iecc.com; spf=neutral spf.mailfrom=jo...@taugh.com

Re: [dmarc-discuss] Still having problems with third-party sending

I'm trying to improve my understanding of the third-party sender problem when, for reasons technical and political, you want to maintain a distance between organizational domain and the working domain. DKIM and DMARC and for that matter SPF are not designed to distinguish among authorized

Re: [dmarc-discuss] am not getting any rua reports for a domain

_dmarc.sb.mumble.com. 2947 INTXTv=DMARC1\; p=none\;rua=mailto:sbmumblecom_...@my.mailservice.com\; fo=0\; adkim=r\; aspf=r\;sp=none If you want a real answer, please give us the real domain names. You're already asking for DMARC reports from total strangers so it's not like there are

Re: [dmarc-discuss] dmarc gogole attachments seen as executable

As is standard settings in lot of AV mailscanners to not allow attachments as example with a .com in it. Therefore it is not a good idea that google is sending attachments DMARC with these filename !google.com!domain.comgjdsadg6777.zip bacause of the .com names in it these are rejected in lot

Re: [dmarc-discuss] rddmarc & comcast reports

>I noticed last week rddmarc fail to read aggregated reports from Comcast. >They send an unusual Content-Type: application-x-gzip; The most recent Comcast reports I have are from September, and they have the same wrong content type. It should be Content-Type: application/gzip; ... whatever

Re: [dmarc-discuss] exim rejecting gmail DMARC reports

This message has been rejected because it has potentially executable content google.com!domain-redacted.com This form of attachment has been used by recent viruses or other malware. If you meant to send this file then please package it up as a zip file and resend it. Any

Re: [dmarc-discuss] dmarc gogole attachments seen as executable

I'd disagree about content filtering completely. There are some file extensions that are inherently dangerous in the Windows world and .COM is one of them. If your AV depends on the filenames in the attachment headers, you've already lost. It needs to look at the attachment contents to see

Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions

>dmarc.fail is an interesting approach, however the spam filters aren't the >concern that's >being raised here, user education is. Teach people that >my.fri...@real.domain.some-unfamiliar-stuff is a reasonable email address to >receive >email from (vs. teaching them to treat that as extremely

Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions

In article

Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions

In article <2049568.4HsipfqAXp@kitterma-e6430> you write: >To start with, you'll have to explain why receivers should trust a sender to >not lie about where they got the mail from in an ARC header field if they >don't >already trust the sender. If you're suggesting that ARC is only useful when

Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions

>I'd prefer: > >From: Foo list [Jane Smith] >CC: Jane Smith Given that most MUAs these days don't show the e-mail address at all, it's hard to see why that would be better. >- violating the principle of least astonishment[1] (wait, the list operator

Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions

>Not to mention this is also a privacy issue. Now the owner of dmarc.fail >has visibility on some traffic he/she should not see. Oh, come on. The owner of dmarc.fail is me, and I assign the addresses to mail that goes through my own web server. R's, John

Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions

>Smells like: > >From: Paypal Security secur...@paypal.com > >Not sure it is a good idea. It's a terrible idea. Too bad some ill-designed security scheme forces people to do stuff like that. R's, John ___ dmarc-discuss mailing list

Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions

>ARC purpose is to say when DMARC fail and the email should be rejected that >it is ok to let it through. As such there is no scale problem and anyone >can do it. ARC provides no protection against replay attacks, in particular, against taking a set of ARC headers from a benign message and

Re: [dmarc-discuss] Why do I receive RUAs for emails that align?

>I guess I'm now more inclined to remove the rua= stanza as I don't >manage user accounts and am really only interested in the failures. I concur with Roland. Looking at my failure reports, I see some from Hotmail and Linkedin and beyond that a few from Chinese and Russian ISPs generally

Re: [dmarc-discuss] Why do I receive RUAs for emails that align?

In article you write: >Hello, > >I'm trying to limit RUA/RUFs to legitimate emails that need eyeballs. > >To that end, I'm scratching my head as to why I get RUAs that clearly align. That's how it works. See section 7.2 of RFC

Re: [dmarc-discuss] Deliverability of DMARC reports

>There's a semi-related issue I'm seeing. A number of domains have used >addresses @dmarc.org for their aggregate reports, and some report >generators have not implemented cross-domain reporting authorization >checks. This volume pales in comparison to the volume of spam directed >at the same

Re: [dmarc-discuss] dmarc.org breaks dkim & dmarc

In article <10d366e813d75805a35b93d9c9b7f...@junc.eu>, Benny Pedersen via dmarc-discuss wrote: >On 2016-10-04 17:20, Franck Martin wrote: >> I'm not sure what is the issue here? Mailing lists break DKIM by >> design. > >bad designed on thiese maillist then its not dkim/dmarc fails

Re: [dmarc-discuss] DMARC where mail is never sent

>> Does it make sense to publish a DMARC record to signal that a host >> should never send email? Can said record be published without an >> accompanying DKIM record? > >See >http://www.m3aawg.org/documents/en/m3aawg-protecting-parked-domains-best-common-practices Quite right. While you're at

Re: [dmarc-discuss] Getting to reject, was :Re: FortiNet’s FortiMail DMARC implementation

>p= none is not just because people don't care. What he said. p=none lets you collect reports and decide what to do. In my case, the reports have told me that for all but one of the domains I manage*, nobody is forging them enough to be worth further DMARC pain. I would suggest a note saying

Re: [dmarc-discuss] Beware of the size limit in DMARC URIs

>There's another question to raise in the IETF working group - do we need >to re-consider the use of HTTPS as an alternative transport for reports? >(Background: HTTP was in the original spec, but hadn't been implemented, >and so was dropped several years ago.) > >If we're running into the common

Re: [dmarc-discuss] gmail's DMARC check doesn't respect subdomain policy

>Domain a.prnk.cz doesnt have DMARC record. Domain prnk.cz has a DMARC >record that contains p=reject and sp=none. It looks like gmail doesn't >respect subdomain policy and rejects the email even when sp=none. Looks to me like Google is doing exactly what the DMARC spec says they should do.

Re: [dmarc-discuss] DMARC forensic reporting options

>Any comments on this? I doubt it would make any difference. People don't send reports because they don't want to send reports, not because the reports are too big. As someone else noted, the privacy issues are just as bad with the headers. R's, John

Re: [dmarc-discuss] FBL via DMARC?

>> But see https://datatracker.ietf.org/doc/draft-levine-herkula-oneclick/ >Is this really a good idea? Spammers will add this new header as they added >List-Unsubscribe headers as well and you will kindly validate the spammed >email address if a user marks it as junk. There are much, much,

Re: [dmarc-discuss] Netscape.net?

In article you write: > >One of our mailing list members, with a netscape.net email address, is >getting DMARC bounces. That domain is set to p=none. That hasn't been the case for quite a while. $ dig _dmarc.netscape.net txt

Re: [dmarc-discuss] Anything to be done about DMARC failures caused by internal Microsoft forwards?

In article you write: >Can we do anything to prevent messages such as this one from bouncing >when we turn on p=reject? Probably not. Perhaps you could back up and tell us what problem you expect to solve by turning on p=reject. Unless you

Re: [dmarc-discuss] How to block fake forwarders?

In article <59dd1c2e.27060.b174...@webbed.pete.gmail.com> you write: >Is there anything I can do to fix this? I'd start by publishing an SPF record that just says "-all" rather than what's in there now which says that there's all sorts of places that real mail can come from. A lot of places

Re: [dmarc-discuss] DMARC and vanity domains

>Am 25.08.2017 um 19:22 schrieb Marc Luescher via dmarc-discuss: >> I did not find any guideline how to do this. > >https://www.m3aawg.org/documents/en/m3aawg-protecting-parked-domains-best-common-practices Assuming you mean domains that neither send nor receive e-mail, the M3AAWG document is

Re: [dmarc-discuss] How to block fake forwarders?

In article <59de991d.29608.10e74...@webbed.pete.gmail.com> you write: >2) I was under the impression that a "real" email server needs to be able to >both receive >(postmaster@) and send (MAILER-DAEMON@) administrative emails. Yes, but only for the domains for which it handles real mail. If you

Re: [dmarc-discuss] What would be a guesstimate to the DMARC report count for a 65k account enterprise ?

In article

Re: [dmarc-discuss] What is the usefulness of choosing 'iodef' versus 'afrf" ?

In article <1512576134.2662.9.ca...@wemonitoremail.com> you write: >On Wed, 2017-12-06 at 09:48 -0500, DMARC via dmarc-discuss wrote: >> Is this an example where one standard as been publically accepted and the >> competing standards are more or less deprecated in deployment ? They're different

Re: [dmarc-discuss] Support for implementing dmarc filter in receiver's company/organisation

In article you write: >Although the domain-registrant end of DMARC is by-design easy to >implement, implementing the receiver-side in a sound fashion remains a >hard problem and therefore a rather specialist one. In general, only >large

Re: [dmarc-discuss] DKIM vulnerability overview

In article you write: >Recently this article came to my attention: >http://noxxi.de/research/breaking-dkim-on-purpose-and-by-chance.html > >It gives a nice overview of some of the vulnerabilties in the DKIM spec. >I understand

Re: [dmarc-discuss] 2 questions about evaluating DMARC reports -- recommendations ?

In article you write: > - QUESTION: what are the available appliances or tool sets for analyzing > DMARC reports, on-premise ? I give away some scripts that read dmarc reports and put the interesting bits in a database at

Re: [dmarc-discuss] DMARC Reporting De-duplication

In article <1675430.NNnUSil6oV@kitterma-e6430> you write: >As an example, I have been able to find four messages I sent to >lists.debian.org email lists on April 30th. The volume reported for that >source for that day from various feedback reporters was 2,436. This makes it >a little hard to

Re: [dmarc-discuss] General DMARC weakness - personal forwarding

In article <445884976.7940.1527153118...@appsuite.open-xchange.com> you write: >This is actually an area of concern to us: how will small scale operations, >like a server that only hosts a handful >of mailing lists for local non profits / open source projects / amateur groups >etc, be able to be

Re: [dmarc-discuss] General DMARC weakness - personal forwarding

In article you write: >Until then, a simple forwarding —refraining to append any disclaimer or virus >scanning notice to the body of the message— would not break DKIM signatures and >hence leave DMARC authenticity intact. That is exactly the problem

Re: [dmarc-discuss] RUA vs RUF reports

In article you write: >1) Most of the failure reports I've seen haven't included the message >body, they've only included the headers. Depends who you get them from. The ones from Netease are just the headers, the ones from Linkedin give you the whole message. >2) The people receiving the

Re: [dmarc-discuss] RUA vs RUF reports

In article you write: >I don't think you can be held responsible if a "total stranger's" email >ends up in your inbox because they put your domain in the From line of >the email without your authorization. ... Maybe. I gather there's all sorts of cases where it is not clear how the operator

Re: [dmarc-discuss] RUA vs RUF reports

In article you write: >I'm surprised to learn of the low value of failure reports. It's a lawyer thing. Failure reports send copies of your users' mail to total strangers. Maybe those strangers had something to do with that mail, maybe not. You can make various arguments about why even if

Re: [dmarc-discuss] General DMARC weakness - personal forwarding

In article you write: >No, ordinary forwarders which break DKIM need to ARC sign. If you're just >an ordinary forwarder, why break DKIM? Unfortunately, some people still authenticate with SPF, so an unmodified forward can break DMARC. R's, John ___

Re: [dmarc-discuss] A bit confused on the utility of a DNS record for DMARC external validation

In article you write: >QUESTION ONE: How is it possible for me to continue to receive aggregate >reports from domains that have no DMARC external validation for the >receiving domain ? Domains are cheap. Buy some random domain

Re: [dmarc-discuss] DMARC report to external domain

In article <00c026d7356944adb32b5f654ab07...@infineon.com> you write: >May I know how to create the this DNS record? Any sample? Try looking up the TXT record for ._report._dmarc.abuse.net $ dig example.com._report._dmarc.abuse.net txt ;; QUESTION SECTION: ;example.com._report._dmarc.abuse.net.

Re: [dmarc-discuss] Email encryption services and DMARC

In article <3fe159fb-7de2-b823-2665-bcf985b6c...@rolandturner.com> you write: >Can you show sample/likely envelopes/headers that would cause the >problem? It's not clear from your description why there's a problem. Are >you saying that Cisco is running a service that impersonates author

Re: [dmarc-discuss] What is the end goal of DMARC?

In article <5bbf9b2b.6010...@signal100.com> you write: >Other than rewriting headers (which of course can be done in a number of >ways), what would you suggest? > >Perhaps a new RFC defining new headers which MLs can add to describe to >mail clients exactly what has been done? This was suggested

Re: [dmarc-discuss] What is the end goal of DMARC?

In article <6a515d07-5bde-cf5f-813b-749557247...@tana.it> you write: >> It's easy enough to invent hacks that lists could apply and MUAs could >> undo, > >So easy that it is already implemented by some. When the IETF was trying to figure out what sort of anti-DMARC hackery to do for its mailing

Re: [dmarc-discuss] What is the end goal of DMARC?

In article , Alessandro Vesely via dmarc-discuss wrote: >I'd favor domain.INVALID. Its only defect originates from a dubious >reject-on-nxdomain advocacy, which would require to use domains with wildcard >records (e.g. domain.REMOVE.DMARC.TRAILING.PARTS). I did INVALID for a while and it was a

Re: [dmarc-discuss] What is the end goal of DMARC?

In article you write: > > When the IETF was trying to figure out what sort of anti-DMARC hackery > > to do for its mailing lists, we did some experiments. ... So we gave > > up and rewrite the From: headers. > >A defect in the method used in this list (and Y!Groups, fwiw) is that >every

Re: [dmarc-discuss] What is the end goal of DMARC?

something that fails? R's, John >Regards, >Al Iverson >On Sat, Oct 13, 2018 at 8:01 PM John Levine via dmarc-discuss > wrote: >> >> In article you write: >> > > When the IETF was trying to figure out what sort of anti-DMARC hackery >> > > to do fo

Re: [dmarc-discuss] What is the end goal of DMARC?

In article you write: >Rewriting the from address to something that fails -- and thus is >potentially going to fail delivery at any ISP that checks to see if >the from address is valid -- seems crappy to me. I'd rather it be >rewritten to be the list address as this list and most others seem to

Re: [dmarc-discuss] "p=none" vs. "p=quarantine; pct=0"

In article <29bfd7c6-00bd-0950-fee8-780746f32...@quantopian.com> you write: >It can also be fairly argued that the maintainers of servers that host >mailing lists should get off their asses and fix their software to >rewrite headers for domains that have DMARC policies, and that they have >no

Re: [dmarc-discuss] "p=none" vs. "p=quarantine; pct=0"

In article <24dd5bc1-ca89-473c-9d11-cb712504c...@akamai.com> you write: >p=none -> “we’re trying to figure out if we’re going to be able to go to >p=quarantine” > >If you treat quarantine differently than none, you’re sending me misleading >data in the reports you send (if of course >you send

Re: [dmarc-discuss] What is the end goal of DMARC?

In article <963257f9-0f6b-516b-59ea-b72852a4d...@quantopian.com> you write: >I thought the goal of DMARC was that eventually the maintainer of every >domain on the internet that shows up in the From: line of email messages >will be able to reliably tell the rest of the internet which of those

Re: [dmarc-discuss] Help

In article you write: >Might be better to have an MX record that points to localhost, because >if you have an A record but no MX, people will just try to connect to >the A record. There's an RFC for that: https://tools.ietf.org/html/rfc7505 R's, John -- Regards, John Levine, jo...@iecc.com,

Re: [dmarc-discuss] Fwd: Re: Help

In article <869d643b-7594-4bad-8929-9afdea01d...@portadmiral.org> you write: >Yes, there are folks who don’t know. I am an administrator for 17 mailing >lists using different technologies, >and I belong to several more. Mailman is different from Yahoo Groups is >different from Google Groups is

Re: [dmarc-discuss] Substituted Source IP question

In article <59f825b3-ccbf-1caf-93df-98e3fb9af...@gmail.com> you write: >Thanks Randal. This confirms the university's view of the situation. >So there's some work needed to accommodate this across our mail domains. Depending on how technically competent your university's mail managers are, it

Re: [dmarc-discuss] Rua and ruf address

In article , Hari Hendaryanto via dmarc-discuss wrote: >Hi, > >I'm new to dmarc. I've just setting up dmarc record view weeks a go. > >My question is, is it okay if i set my ruf address sane as rua? Yes, that's fine. If you get many reports you will probably want to set up separate addresses to

Re: [dmarc-discuss] DMARC RUF

In article you write: >Can someone tell me why the mail providers have stopped sending forensic >emails? They haven't stopped because they never started. Forensic messages have big privacy problems because they send a message, or at least part of it, to someone who may or may not have any

Re: [dmarc-discuss] DMARC RUF

In article you write: > >I received failure/forensic reports ("ruf=") from NetEase and Hotmail >for several years, for at least one small domain I operate, and I appear >to have received such reports from NetEase as recently as 3Q2018. None >from Hotmail since late 2017 though, and that was

Re: [dmarc-discuss] Basic questions

In article you write: >-=-=-=-=-=- >-=-=-=-=-=- > >I have some basic questions about the implementation of DMARC policies after >reading some of the official documentation. > >For "p=quarantine", "rua=mailto:postmas...@example.biz; (if specified) should >receive periodic spam reports, correct?

Re: [dmarc-discuss] Know anyone working on ARC at Microsoft ?

In article <0746ea03-c242-1020-7df8-f087f58a0...@crash.com> you write: >But yes, it's also worth noting that the item posted to the "Microsoft >365 Roadmap" at the end of October only discussed the use of ARC when >receiving messages for mailboxes hosted by Microsoft. It didn't address >any use

Re: [dmarc-discuss] DMARC is not disabled automatically at Office 365 when the MX is different

In article you write: >Dumb question time. In that scenario, if mail is forwarded with the >DKIM signature intact, would that be good enough to still pass DMARC? >Or will it fail because SPF now fails? Assuming no gratuitous changes to the message, yes. But I've found a dismaying number of

Re: [dmarc-discuss] DMARC vs DKIM keys with s=mtasts

In article you write: >-=-=-=-=-=- >-=-=-=-=-=- > >My 2 cents, if we are validating an email then the services MUST cover email, >either by including '*' or 'email'. Regardless of what >attachments that email contains. > >RFC8460 appears to conflict with 6376 in this regard, and with that in

Re: [dmarc-discuss] Ranked domains that advertise RUA addresses and then bounce aggregate reports sent to them

In article <65960f35-16b5-7889-5db1-c5c678015...@kamens.us> you write: >For your edification, below, in domain rank order (from the >https://domcop.com/openpagerank/ API), are the ranked domains that have >bounced at least one DMARC aggregate report my mail server has tried to >send them since I

Re: [dmarc-discuss] DMARC vs DKIM keys with s=mtasts

In article <3074162.RNaZIRUnTP@l5580> you write: >RFC 6376, Section 3.6.1, in the s= paragraphs says: > >> * matches all service types > >If libopendkim and Mail::DKIM are looking for a literal '*' as the service >type, rather than accepting any value for service type, they are buggy and

Re: [dmarc-discuss] DMARC vs DKIM keys with s=mtasts

In article <623afe11-a57e-49f3-b845-7e48a9ae5...@kitterman.com> you write: >I don't think 8460 needed to update 6376, since valid service values are >defined by the registry, not by 6376. The mistake was >not updating the registry. > >After looking at it again, I see your point about ignoring

Re: [dmarc-discuss] SPF and DKIM

In article you write: >Can we enable DMARC just by enabling only SPF?, without DKIM? If it's >possible what are the issues we will come across without DKIM? I would encourage you not to do that. As others have said, it sort of works until there is any sort of forwarding. I can report that

Re: [dmarc-discuss] Thoughts for new value 'p=nomail'

In article you write: >-=-=-=-=-=- >-=-=-=-=-=- > >With some of my recent DMARC reports for my domains I've seen comments >about over riding the p=reject and deciding the mail should be quarantined >vs rejected because the recipient mailbox provider thought it was >forwarded. > >Would it be

Re: [dmarc-discuss] Need documents to achieve DMARC alignment

In article you write: >-=-=-=-=-=- >-=-=-=-=-=- > >On Thu, Sep 24, 2020 at 11:44 PM Blason R via dmarc-discuss < >dmarc-discuss@dmarc.org> wrote: > >> Thanks that makes sense! Assuming they do not have a DKIM facility >> aligning messages with SPF should suffice my need, right? ... >My question

Re: [dmarc-discuss] DKIM Pass for unauthorized servers?

In article <3e3d6e63-2f2e-40b9-adc5-f5638f21f...@bexx.com> you write: >I am new to DMARC But I am seeing summary reports containing DKIM=pass >SPF=fail for server(s) that should not be able to send email on our behalf. >I have seen this for more than one server/domain as I assist with a number of

[dmarc-discuss] Speaking of mail security

A peek at the mail logs reveals that this list is hosted at dragon.trusteddomain.org which is running an antique version of sendmail 8.14.5 from 2011 that doesn't offer STARTTLS. I believe that the upgrade to 8.15.2, released in 2015 but still the most recent version, is straightforward. R's,

Re: [dmarc-discuss] Speaking of mail security

In article <20200621184250.ga59...@kiel.esmtp.org> you write: >On Sun, Jun 21, 2020, John Levine via dmarc-discuss wrote: > >> sendmail 8.14.5 from 2011 that doesn't offer STARTTLS. > >AFAICT ESMTPS is used when the host sends mail, >so that's just a configuration issue

Re: [dmarc-discuss] Correct counting of DNS lookups for SPF record containing MX mechanism

It appears that Alexander NAZARIAN via dmarc-discuss said: >So I want to understand whether having MX placed in the beginning of SPF >record can cause a quicker reach of '10 DNS lookup limitation' for G Suite >senders, due to the reason that G Suite has 5 MX records (and I assume that >number of

  1   2   >