Re: [mailop] problem setting up open-dmarc

[Gellner, Oliver via mailop]

On 09.02.2024 at 22:19 Hans-Martin Mosner via mailop wrote:

Am 09.02.24 um 16:20 schrieb Gellner, Oliver via mailop:
A not really serious reply: I'm interested to learn how I can get amused by 
looking at XML data, this would greatly improve my professional life. Until now 
I have been more in the state of wanting to jump out the window when I see 
DMARC reports like the following:

...
  

  194.127.216.50
  0


This is mostly a matter of tooling, XML is not fit for human consumption. Being 
a software developer, I wrote my own tools to parse and present DMARC reports 
which are not perfect but ok for my purposes. I'm not sure I could find 
sufficiently general open source tools quickly, but it's not impossible that 
there are some somewhere.

Sorry, if this wasn’t clear: I don’t have any issues with XML data or parsing 
it.
I posted the XML snippet above specifically because of the „count = 0“ - as an 
example of one the braindead DMARC reports some sites are sending. Apparently 
it depends on one’s own mindset if you are either amused or horrified by such 
reports :-)

—
BR Oliver


dmTECH GmbH
Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
Telefon 0721 5592-2500 Telefax 0721 5592-2777
dmt...@dm.de * www.dmTECH.de
GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher

Datenschutzrechtliche Informationen
Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser 
ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in 
Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich 
bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter 
anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie 
die Kontaktdaten unserer Datenschutzbeauftragten finden Sie 
hier.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[John Levine via mailop]

It appears that Hans-Martin Mosner via mailop  said:
>This is mostly a matter of tooling, XML is not fit for human consumption. 
>Being a software developer, I wrote my own 
>tools to parse and present DMARC reports which are not perfect but ok for my 
>purposes. I'm not sure I could find 
>sufficiently general open source tools quickly, but it's not impossible that 
>there are some somewhere.

There are lots of them.  You can find mine at https://www.taugh.com/rddmarc

>You might as well use the services of some company which specializes in DMARC 
>training and handling, this might be a 
>reasonable route if you expect considerable volume of actionable DMARC reports 
>...

That can work too. Most of the DMARC analysis companies have a free
level that'e enough to eee generally what's in the reports.

R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[Hans-Martin Mosner via mailop]

Am 09.02.24 um 16:20 schrieb Gellner, Oliver via mailop:
A not really serious reply: I'm interested to learn how I can get amused by looking at XML data, this would greatly 
improve my professional life. Until now I have been more in the state of wanting to jump out the window when I see 
DMARC reports like the following:

...
   
 
   194.127.216.50
   0


This is mostly a matter of tooling, XML is not fit for human consumption. Being a software developer, I wrote my own 
tools to parse and present DMARC reports which are not perfect but ok for my purposes. I'm not sure I could find 
sufficiently general open source tools quickly, but it's not impossible that there are some somewhere.


You might as well use the services of some company which specializes in DMARC training and handling, this might be a 
reasonable route if you expect considerable volume of actionable DMARC reports (in our case, most reports result either 
from spam mails who use our domain names without authorization, so that's a sign DMARC is working a bit as intended, or 
from our mails sent through mailing lists which live in the last millenium and don't preserve DKIM signatures or apply 
DMARC mitigations and whose admins ignore my requests to fix their systems).


Cheers,
Hans-Martin
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[Gellner, Oliver via mailop]

On 07.02.2024 at 18:17 John Levine via mailop wrote

> You might as well publish a p=none DMARC record anyway so you can collect the 
> reports. Some of them can be quite amusing.

A not really serious reply: I'm interested to learn how I can get amused by 
looking at XML data, this would greatly improve my professional life. Until now 
I have been more in the state of wanting to jump out the window when I see 
DMARC reports like the following:

...
  

  194.127.216.50
  0

--
BR Oliver


dmTECH GmbH
Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
Telefon 0721 5592-2500 Telefax 0721 5592-2777
dmt...@dm.de * www.dmTECH.de
GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher

Datenschutzrechtliche Informationen
Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser 
ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in 
Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich 
bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter 
anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie 
die Kontaktdaten unserer Datenschutzbeauftragten finden Sie 
hier.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[Randolf Richardson, Postmaster via mailop]

> On 08.02.24 05:48, John Covici via mailop wrote:
> >I have sendmail set up for dkim, I don't see anywhere where you need
> >anything for dmarc.  Right now the opendmarc.conf is just what comes
> >when you install.
> 
> DMARC on domain means setting DNS record in it. 

Fortunately, that's the easier part. :)

> In addition to SPF and DKIM provides recipients instructions what do to with 
> mail that does not fit and/or where to send you reports about such mail.
> Which is
> 
> Opendmarc on your server validates incoming mail, optionally allows you to 
> reject mail and/or send failure reports.

...and that is where the OpenDMARC milter comes into play.  For mail 
server administrators who want/need to enforce DMARC policies during 
the SMTP transaction (pre-queue) stage, this milter does the job, but 
can be tricky to set up depending on various factors, including 
system architecture and configuration, mail server capabilities, etc.

> I also run opendmarc with default options, and am thinking about rejecting 
> and reporting. Will take some time.

I recently submitted a Pull Request to the OpenDMARC project for 
laying the foundation to add PostgreSQL support, and so far a few 
users provided positive feedback:

OpenDMARC :: Add PostgreSQL database schema #251
https://github.com/trusteddomainproject/OpenDMARC/pull/251

Once it gets approved, my intention is to contribute code updates to 
support using PostgreSQL for the back-end reporting database.

-- 
Postmaster - postmas...@inter-corporate.com
Randolf Richardson, CNA - rand...@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Vancouver, Beautiful British Columbia, Canada
https://www.inter-corporate.com/


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[Matus UHLAR - fantomas via mailop]

On 08.02.24 05:48, John Covici via mailop wrote:

I have sendmail set up for dkim, I don't see anywhere where you need
anything for dmarc.  Right now the opendmarc.conf is just what comes
when you install.


DMARC on domain means setting DNS record in it. 
In addition to SPF and DKIM provides recipients instructions what do to with 
mail that does not fit and/or where to send you reports about such mail.

Which is

Opendmarc on your server validates incoming mail, optionally allows you to 
reject mail and/or send failure reports.


I also run opendmarc with default options, and am thinking about rejecting 
and reporting. Will take some time.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[John Covici via mailop]

I have sendmail set up for dkim, I don't see anywhere where you need
anything for dmarc.  Right now the opendmarc.conf is just what comes
when you install.

On Wed, 07 Feb 2024 13:07:25 -0500,
Randolf Richardson, Postmaster via mailop wrote:
> 
>   What's in the configuration file now?  If you could share what the 
> settings are (with comments stripped out and any sensitive 
> information removed -- you'll need to manually inspect for any 
> passwords, etc., that you don't want to reveal and redact them).
> 
>   Do you have the milter configuration aspect covered in sendmail?
> 
> > Thanks a lot, I am using sendmail as my mta.
> > 
> > On Wed, 07 Feb 2024 00:39:41 -0500,
> > Randolf Richardson, Postmaster via mailop wrote:
> > > 
> > >   Which mail server software and OS are you using?  Are you receiving 
> > > some error messages (e.g., in syslog)?
> > > 
> > >   I'm using Postfix on Debian, and I'd be happy to try to help you get 
> > > things working no matter which software you're using.
> > > 
> > >   The OpenDMARC package supports running as a milter, which is 
> > > supported by most technologies.
> > > 
> > >   If you can use a UNIX Domain socket you'll get better performance, 
> > > but the permissions can be a bit of a challenge (which is why a lot 
> > > of administrators set it up to listen on 127.0.0.1 and use TCP 
> > > sockets instead -- I prefer UNIX Domain sockets because there's 
> > > slightly less overhead than with TCP, but overall there generally 
> > > won't really be a noticeable performance hit).
> > > 
> > >   For my installation, /etc/opendmarc.conf has roughly half-a-dozen 
> > > default settings, most of which I didn't need to alter.  Adding one 
> > > line to /etc/postfix/main.cf got it all working after I made sure the 
> > > permissions were where they needed to be for the UNIX Domain socket:
> > > 
> > >   smtpd_milters = unix:/var/run/opendmarc/opendmarc.sock
> > > 
> > >   This is the order that may be helpfult you that works well fo rme:
> > > 
> > >   smtpd_milters =
> > >unix:/var/run/opendkim/opendkim.sock
> > >unix:/var/run/opendmarc/opendmarc.sock
> > >unix:/var/run/clamav/clamav-milter.ctl
> > > 
> > >   Feel free to share a comment-stripped copy of your opendmarc.conf 
> > > file here (and make sure you don't have any passwords in it; there 
> > > shouldn't be, but do check it first before attaching to be sure), and 
> > > I (and I'm sure other MailOp members as well) will be happy to help.
> > > 
> > > > Hi.  I am trying to make sure my mail server is properly
> > > > authenticated, and I have spf and dkim set up -- seemingly correctly
> > > > -- but I am not sure about dmarc.  I have downloaded and installed the
> > > > open-dmarc package and I have the text record I will have to put in
> > > > the zone,  but I don't know what to put in
> > > > /etc/openmarc/opendmarc.conf -- its quite a large file and I am not
> > > > sure what I really need in it.
> > > > 
> > > > Thanks in advance for any suggestions.
> > > > 
> > > > -- 
> > > > Your life is like a penny.  You're going to lose it.  The question is:
> > > > How do
> > > > you spend it?
> > > > 
> > > >  John Covici wb2una
> > > >  cov...@ccs.covici.com
> > > > ___
> > > > mailop mailing list
> > > > mailop@mailop.org
> > > > https://list.mailop.org/listinfo/mailop
> > > 
> > > 
> > > -- 
> > > Postmaster - postmas...@inter-corporate.com
> > > Randolf Richardson, CNA - rand...@inter-corporate.com
> > > Inter-Corporate Computer & Network Services, Inc.
> > > Vancouver, Beautiful British Columbia, Canada
> > > https://www.inter-corporate.com/
> > > 
> > > 
> > > ___
> > > mailop mailing list
> > > mailop@mailop.org
> > > https://list.mailop.org/listinfo/mailop
> > > 
> > 
> > -- 
> > Your life is like a penny.  You're going to lose it.  The question is:
> > How do
> > you spend it?
> > 
> >  John Covici wb2una
> >  cov...@ccs.covici.com
> > ___
> > mailop mailing list
> > mailop@mailop.org
> > https://list.mailop.org/listinfo/mailop
> 
> 
> -- 
> Postmaster - postmas...@inter-corporate.com
> Randolf Richardson, CNA - rand...@inter-corporate.com
> Inter-Corporate Computer & Network Services, Inc.
> Vancouver, Beautiful British Columbia, Canada
> https://www.inter-corporate.com/
> 
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
> 

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[Randolf Richardson, Postmaster via mailop]

> On Wed, Feb 7, 2024, 4:55AM Andreas S. Kerber via mailop 
> wrote:
> 
> > Am Wed, Feb 07, 2024 at 02:20:25PM +0100 schrieb Jaroslaw Rafa via mailop:
> > > For outgoing, Google requires that you have DMARC record set up. So if
> > you
> > > are sending anything to Google, you need that.
> >
> > This only applies if your sending more than 5000 messages per day.
> > Most smaller senders are still fine using only "SPF *or* DKIM" and do not
> > *need* a DMARC record:
> >
> > https://support.google.com/a/answer/81126
> 
> Unfortunately, this is not correct, despite the official documentation.
> There are multiple reports on Reddit and other places of people getting the
> explicit "authentication required" SMTP response at much lower volumes.
> I've also experienced it directly myself, on domains that I directly
> control that don't do 50 a day, let alone 5000.

I've seen this multiple times with newly onboarded clients who were 
having these exact problems with their previous providers -- once our 
systems generate the needed keys and DNS records for SPF, DKIM, and 
DMARC, their delivery problems cease.

In my opinion, all mail systems should be using SPF with DKIM, and 
senders should also publish a DMARC "p=reject" policy as this will 
help most mail servers stop forgeries before reaching any queues.

On a few rare occasions we received reports from users who forwarded 
copies of SMTP 5yz rejections because the sender didn't have their 
SPF records configured correctly, and we've made internal whitelist 
exceptiosn for those (that will eventually expire, and our users know 
this and have informed their senders of the deadlines).

I greatly value the SPF/DKIM/DMARC mechanisms because it means my 
clients don't get forgeries that look like they came from their 
co-workers.  (In a few cases, some of those forgeries included 
attachments of old documents dated from times of past security 
breaches, which tend to appear more credible to recipients.)

-- 
Postmaster - postmas...@inter-corporate.com
Randolf Richardson, CNA - rand...@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Vancouver, Beautiful British Columbia, Canada
https://www.inter-corporate.com/


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[Randolf Richardson, Postmaster via mailop]

What's in the configuration file now?  If you could share what the 
settings are (with comments stripped out and any sensitive 
information removed -- you'll need to manually inspect for any 
passwords, etc., that you don't want to reveal and redact them).

Do you have the milter configuration aspect covered in sendmail?

> Thanks a lot, I am using sendmail as my mta.
> 
> On Wed, 07 Feb 2024 00:39:41 -0500,
> Randolf Richardson, Postmaster via mailop wrote:
> > 
> > Which mail server software and OS are you using?  Are you receiving 
> > some error messages (e.g., in syslog)?
> > 
> > I'm using Postfix on Debian, and I'd be happy to try to help you get 
> > things working no matter which software you're using.
> > 
> > The OpenDMARC package supports running as a milter, which is 
> > supported by most technologies.
> > 
> > If you can use a UNIX Domain socket you'll get better performance, 
> > but the permissions can be a bit of a challenge (which is why a lot 
> > of administrators set it up to listen on 127.0.0.1 and use TCP 
> > sockets instead -- I prefer UNIX Domain sockets because there's 
> > slightly less overhead than with TCP, but overall there generally 
> > won't really be a noticeable performance hit).
> > 
> > For my installation, /etc/opendmarc.conf has roughly half-a-dozen 
> > default settings, most of which I didn't need to alter.  Adding one 
> > line to /etc/postfix/main.cf got it all working after I made sure the 
> > permissions were where they needed to be for the UNIX Domain socket:
> > 
> > smtpd_milters = unix:/var/run/opendmarc/opendmarc.sock
> > 
> > This is the order that may be helpfult you that works well fo rme:
> > 
> > smtpd_milters =
> >  unix:/var/run/opendkim/opendkim.sock
> >  unix:/var/run/opendmarc/opendmarc.sock
> >  unix:/var/run/clamav/clamav-milter.ctl
> > 
> > Feel free to share a comment-stripped copy of your opendmarc.conf 
> > file here (and make sure you don't have any passwords in it; there 
> > shouldn't be, but do check it first before attaching to be sure), and 
> > I (and I'm sure other MailOp members as well) will be happy to help.
> > 
> > > Hi.  I am trying to make sure my mail server is properly
> > > authenticated, and I have spf and dkim set up -- seemingly correctly
> > > -- but I am not sure about dmarc.  I have downloaded and installed the
> > > open-dmarc package and I have the text record I will have to put in
> > > the zone,  but I don't know what to put in
> > > /etc/openmarc/opendmarc.conf -- its quite a large file and I am not
> > > sure what I really need in it.
> > > 
> > > Thanks in advance for any suggestions.
> > > 
> > > -- 
> > > Your life is like a penny.  You're going to lose it.  The question is:
> > > How do
> > > you spend it?
> > > 
> > >  John Covici wb2una
> > >  cov...@ccs.covici.com
> > > ___
> > > mailop mailing list
> > > mailop@mailop.org
> > > https://list.mailop.org/listinfo/mailop
> > 
> > 
> > -- 
> > Postmaster - postmas...@inter-corporate.com
> > Randolf Richardson, CNA - rand...@inter-corporate.com
> > Inter-Corporate Computer & Network Services, Inc.
> > Vancouver, Beautiful British Columbia, Canada
> > https://www.inter-corporate.com/
> > 
> > 
> > ___
> > mailop mailing list
> > mailop@mailop.org
> > https://list.mailop.org/listinfo/mailop
> > 
> 
> -- 
> Your life is like a penny.  You're going to lose it.  The question is:
> How do
> you spend it?
> 
>  John Covici wb2una
>  cov...@ccs.covici.com
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop


-- 
Postmaster - postmas...@inter-corporate.com
Randolf Richardson, CNA - rand...@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Vancouver, Beautiful British Columbia, Canada
https://www.inter-corporate.com/


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[John Levine via mailop]

It appears that Royce Williams via mailop  said:
>Unfortunately, this is not correct, despite the official documentation.
>There are multiple reports on Reddit and other places of people getting the
>explicit "authentication required" SMTP response at much lower volumes.

You definitely will if you're sending over IPv6.

Considering that it takes about two minutes to publish an SPF record, even
though it's not very useful, there's no reason not to have one.

R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[John Levine via mailop]

According to Bill Cole via mailop :
>-=-=-=-=-=-
>-=-=-=-=-=-
>
>On 2024-02-07 at 05:40:50 UTC-0500 (Wed, 7 Feb 2024 12:40:50 +0200)
>Taavi Eomäe via mailop 
>is rumored to have said:
>
>[Snip. Quoting Michael P.]
>>> Unless you are a big budget email sender, don't stress to much.  Maybe 
>>> tomorrow we will need something like DMARC,
>but thankfully not yet today.
>> You need it right now if you want to protect your communication against 
>> forgeries.
>
>Not so much. DKIM and SPF are adequate for most senders. Arguably, SPF would 
>suffice for most sending domains if it
>were not for transparent forwarding.

You might as well publish a p=none DMARC record anyway so you can
collect the reports. Some of them can be quite amusing. I agree that
p=reject is of no value unless you are big enough or famous enough to
be a phish target.

R's,
John
-- 
Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[Andreas S. Kerber via mailop]

Am Wed, Feb 07, 2024 at 06:41:48AM -0900 schrieb Royce Williams via mailop:
> There are multiple reports on Reddit and other places of people getting the
> explicit "authentication required" SMTP response at much lower volumes.
> I've also experienced it directly myself, on domains that I directly
> control that don't do 50 a day, let alone 5000.

Can you confirm that these domains had a valid SPF record? Would you mind 
sharing the exact value of the SPF?
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[Royce Williams via mailop]

On Wed, Feb 7, 2024, 4:55 AM Andreas S. Kerber via mailop 
wrote:

> Am Wed, Feb 07, 2024 at 02:20:25PM +0100 schrieb Jaroslaw Rafa via mailop:
> > For outgoing, Google requires that you have DMARC record set up. So if
> you
> > are sending anything to Google, you need that.
>
> This only applies if your sending more than 5000 messages per day.
> Most smaller senders are still fine using only "SPF *or* DKIM" and do not
> *need* a DMARC record:
>
> https://support.google.com/a/answer/81126


Unfortunately, this is not correct, despite the official documentation.
There are multiple reports on Reddit and other places of people getting the
explicit "authentication required" SMTP response at much lower volumes.
I've also experienced it directly myself, on domains that I directly
control that don't do 50 a day, let alone 5000.

Royce
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[Bill Cole via mailop]

On 2024-02-07 at 05:40:50 UTC-0500 (Wed, 7 Feb 2024 12:40:50 +0200)
Taavi Eomäe via mailop 
is rumored to have said:

[Snip. Quoting Michael P.]
>> Unless you are a big budget email sender, don't stress to much.  Maybe 
>> tomorrow we will need something like DMARC, but thankfully not yet today.
> You need it right now if you want to protect your communication against 
> forgeries.

Not so much. DKIM and SPF are adequate for most senders. Arguably, SPF would 
suffice for most sending domains if it were not for transparent forwarding.


-- 
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire


signature.asc
Description: OpenPGP digital signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[Jaroslaw Rafa via mailop]

Dnia  7.02.2024 o godz. 14:41:02 Andreas S. Kerber via mailop pisze:
> 
> This only applies if your sending more than 5000 messages per day.

That is a "MUST" in RFC sense ;), because otherwise they reject mails from
you.

But if you read their sender guidelines, they say since long ago (long
before they start enforcing the limit above) that *every* sender
(regardless of volume they send) SHOULD (again, in RFC sense ;)) have SPF,
DKIM *and* DMARC set up.

If you have a delivery issue with Google (eg. like in my case when my mails
are constanly filed to recipients' Spam folders) they require you to fulfill
all the mentioned guidelines (including having DMARC set up) before you
submit an issue to them (which usually doesn't get resolved anyway... :()

> Most smaller senders are still fine using only "SPF *or* DKIM" and do not
> *need* a DMARC record:

My experience says otherwise.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[Andreas S. Kerber via mailop]

Am Wed, Feb 07, 2024 at 02:20:25PM +0100 schrieb Jaroslaw Rafa via mailop:
> For outgoing, Google requires that you have DMARC record set up. So if you
> are sending anything to Google, you need that.

This only applies if your sending more than 5000 messages per day.
Most smaller senders are still fine using only "SPF *or* DKIM" and do not 
*need* a DMARC record:

https://support.google.com/a/answer/81126

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[Thomas Walter via mailop]

On 07.02.24 14:20, Jaroslaw Rafa via mailop wrote:

For outgoing, Google requires that you have DMARC record set up. So if you
are sending anything to Google, you need that.


"If you send 5,000 messages a day or more..."

Regards,
Thomas Walter

--
Thomas Walter
Datenverarbeitungszentrale

FH Münster
- University of Applied Sciences -
Corrensstr. 25, Raum B 112
48149 Münster

Tel: +49 251 83 64 908
Fax: +49 251 83 64 910
www.fh-muenster.de/dvz/


smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[Jaroslaw Rafa via mailop]

Dnia  6.02.2024 o godz. 15:13:47 Michael Peddemors via mailop pisze:
> Some days.. it's like F* DMARC.. hehehe..
> 
> Anything that created a multi-million dollar industry of consultants
> on how to set up DMARC, well.. email should NOT be that difficult..
> 
> I still remember when email administrators didn't know how to set up
> DNS correctly.. (oh wait, some still do)
> 
> You went the path of SPF, and even went a step farther with DKIM.. I
> would not sweat DMARC yet.. (next it will be the rest of the ARC
> stuff)
> 
> I know, probably not a popular opinion on this list but.. IMHO
> 
> Unless you are a big budget email sender, don't stress to much.
> Maybe tomorrow we will need something like DMARC, but thankfully not
> yet today.

Are you talking about incoming or outgoing mail?

For outgoing, Google requires that you have DMARC record set up. So if you
are sending anything to Google, you need that.

For incoming, I agree, you don't have to bother with DMARC (In fact, I don't
check also SPF nor DKIM on incoming mail - DNSBL, manual blacklists and
content filtering are completely enough to filter out spam).
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[Taavi Eomäe via mailop]

Anything that created a multi-million dollar industry of consultants 
on how to set up DMARC, well.. email should NOT be that difficult.. 


If you use even a relatively modern email stack then it's quite trivial 
through rspamd for example. Some have it (and more) even built-in, like 
Stalwart or Maddy.



Unless you are a big budget email sender, don't stress to much.  Maybe 
tomorrow we will need something like DMARC, but thankfully not yet today. 
You need it right now if you want to protect your communication against 
forgeries.





smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[John Covici via mailop]

OK, thanks.  I did this all because of problems sending to some places
managed by Google.

On Tue, 06 Feb 2024 18:12:14 -0500,
Alan Hodgson via mailop wrote:
> 
> [1  ]
> [1.1  ]
> On Tue, 2024-02-06 at 17:46 -0500, John Covici via mailop wrote:
> > Hi.  I am trying to make sure my mail server is properly
> > authenticated, and I have spf and dkim set up -- seemingly
> > correctly
> > -- but I am not sure about dmarc.  I have downloaded and installed
> > the
> > open-dmarc package and I have the text record I will have to put in
> > the zone,  but I don't know what to put in
> > /etc/openmarc/opendmarc.conf -- its quite a large file and I am not
> > sure what I really need in it.
> 
> You don't need to do anything with opendmarc to send authenticated
> mail. It's used to check incoming email from other people.
> 
> [1.2  ]
> [2  ]
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[John Covici via mailop]

Thanks a lot, I am using sendmail as my mta.

On Wed, 07 Feb 2024 00:39:41 -0500,
Randolf Richardson, Postmaster via mailop wrote:
> 
>   Which mail server software and OS are you using?  Are you receiving 
> some error messages (e.g., in syslog)?
> 
>   I'm using Postfix on Debian, and I'd be happy to try to help you get 
> things working no matter which software you're using.
> 
>   The OpenDMARC package supports running as a milter, which is 
> supported by most technologies.
> 
>   If you can use a UNIX Domain socket you'll get better performance, 
> but the permissions can be a bit of a challenge (which is why a lot 
> of administrators set it up to listen on 127.0.0.1 and use TCP 
> sockets instead -- I prefer UNIX Domain sockets because there's 
> slightly less overhead than with TCP, but overall there generally 
> won't really be a noticeable performance hit).
> 
>   For my installation, /etc/opendmarc.conf has roughly half-a-dozen 
> default settings, most of which I didn't need to alter.  Adding one 
> line to /etc/postfix/main.cf got it all working after I made sure the 
> permissions were where they needed to be for the UNIX Domain socket:
> 
>   smtpd_milters = unix:/var/run/opendmarc/opendmarc.sock
> 
>   This is the order that may be helpfult you that works well fo rme:
> 
>   smtpd_milters =
>unix:/var/run/opendkim/opendkim.sock
>unix:/var/run/opendmarc/opendmarc.sock
>unix:/var/run/clamav/clamav-milter.ctl
> 
>   Feel free to share a comment-stripped copy of your opendmarc.conf 
> file here (and make sure you don't have any passwords in it; there 
> shouldn't be, but do check it first before attaching to be sure), and 
> I (and I'm sure other MailOp members as well) will be happy to help.
> 
> > Hi.  I am trying to make sure my mail server is properly
> > authenticated, and I have spf and dkim set up -- seemingly correctly
> > -- but I am not sure about dmarc.  I have downloaded and installed the
> > open-dmarc package and I have the text record I will have to put in
> > the zone,  but I don't know what to put in
> > /etc/openmarc/opendmarc.conf -- its quite a large file and I am not
> > sure what I really need in it.
> > 
> > Thanks in advance for any suggestions.
> > 
> > -- 
> > Your life is like a penny.  You're going to lose it.  The question is:
> > How do
> > you spend it?
> > 
> >  John Covici wb2una
> >  cov...@ccs.covici.com
> > ___
> > mailop mailing list
> > mailop@mailop.org
> > https://list.mailop.org/listinfo/mailop
> 
> 
> -- 
> Postmaster - postmas...@inter-corporate.com
> Randolf Richardson, CNA - rand...@inter-corporate.com
> Inter-Corporate Computer & Network Services, Inc.
> Vancouver, Beautiful British Columbia, Canada
> https://www.inter-corporate.com/
> 
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
> 

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[Odhiambo Washington via mailop]

On Wed, Feb 7, 2024 at 1:58 AM John Covici via mailop 
wrote:

> Hi.  I am trying to make sure my mail server is properly
> authenticated, and I have spf and dkim set up -- seemingly correctly
> -- but I am not sure about dmarc.  I have downloaded and installed the
> open-dmarc package and I have the text record I will have to put in
> the zone,  but I don't know what to put in
> /etc/openmarc/opendmarc.conf -- its quite a large file and I am not
> sure what I really need in it.
>
> Thanks in advance for any suggestions.
>

Once you've published SPF and DKIM records in DNS and setup your MTA to
sign outbound emails, that should be enough.
You can find tools to help generate SPF, DKIM and DMARC records on this
page: https://easydmarc.com/tools/
The one additional thing you'll need to do depends on the MTA you use -
DKIM signing. Google can help you with that, or if you say what MTA you are
using, you'll be assisted by this group.

-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
 In an Internet failure case, the #1 suspect is a constant: DNS.
"Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-)
[How to ask smart questions:
http://www.catb.org/~esr/faqs/smart-questions.html]
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[Alan Hodgson via mailop]

On Tue, 2024-02-06 at 17:46 -0500, John Covici via mailop wrote:
> Hi.  I am trying to make sure my mail server is properly
> authenticated, and I have spf and dkim set up -- seemingly
> correctly
> -- but I am not sure about dmarc.  I have downloaded and installed
> the
> open-dmarc package and I have the text record I will have to put in
> the zone,  but I don't know what to put in
> /etc/openmarc/opendmarc.conf -- its quite a large file and I am not
> sure what I really need in it.

You don't need to do anything with opendmarc to send authenticated
mail. It's used to check incoming email from other people.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[Randolf Richardson, Postmaster via mailop]

Which mail server software and OS are you using?  Are you receiving 
some error messages (e.g., in syslog)?

I'm using Postfix on Debian, and I'd be happy to try to help you get 
things working no matter which software you're using.

The OpenDMARC package supports running as a milter, which is 
supported by most technologies.

If you can use a UNIX Domain socket you'll get better performance, 
but the permissions can be a bit of a challenge (which is why a lot 
of administrators set it up to listen on 127.0.0.1 and use TCP 
sockets instead -- I prefer UNIX Domain sockets because there's 
slightly less overhead than with TCP, but overall there generally 
won't really be a noticeable performance hit).

For my installation, /etc/opendmarc.conf has roughly half-a-dozen 
default settings, most of which I didn't need to alter.  Adding one 
line to /etc/postfix/main.cf got it all working after I made sure the 
permissions were where they needed to be for the UNIX Domain socket:

smtpd_milters = unix:/var/run/opendmarc/opendmarc.sock

This is the order that may be helpfult you that works well fo rme:

smtpd_milters =
 unix:/var/run/opendkim/opendkim.sock
 unix:/var/run/opendmarc/opendmarc.sock
 unix:/var/run/clamav/clamav-milter.ctl

Feel free to share a comment-stripped copy of your opendmarc.conf 
file here (and make sure you don't have any passwords in it; there 
shouldn't be, but do check it first before attaching to be sure), and 
I (and I'm sure other MailOp members as well) will be happy to help.

> Hi.  I am trying to make sure my mail server is properly
> authenticated, and I have spf and dkim set up -- seemingly correctly
> -- but I am not sure about dmarc.  I have downloaded and installed the
> open-dmarc package and I have the text record I will have to put in
> the zone,  but I don't know what to put in
> /etc/openmarc/opendmarc.conf -- its quite a large file and I am not
> sure what I really need in it.
> 
> Thanks in advance for any suggestions.
> 
> -- 
> Your life is like a penny.  You're going to lose it.  The question is:
> How do
> you spend it?
> 
>  John Covici wb2una
>  cov...@ccs.covici.com
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop


-- 
Postmaster - postmas...@inter-corporate.com
Randolf Richardson, CNA - rand...@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Vancouver, Beautiful British Columbia, Canada
https://www.inter-corporate.com/


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[Michael Peddemors via mailop]

Some days.. it's like F* DMARC.. hehehe..

Anything that created a multi-million dollar industry of consultants on 
how to set up DMARC, well.. email should NOT be that difficult..


I still remember when email administrators didn't know how to set up DNS 
correctly.. (oh wait, some still do)


You went the path of SPF, and even went a step farther with DKIM.. I 
would not sweat DMARC yet.. (next it will be the rest of the ARC stuff)


I know, probably not a popular opinion on this list but.. IMHO

Unless you are a big budget email sender, don't stress to much.  Maybe 
tomorrow we will need something like DMARC, but thankfully not yet today.



On 2024-02-06 14:46, John Covici via mailop wrote:

Hi.  I am trying to make sure my mail server is properly
authenticated, and I have spf and dkim set up -- seemingly correctly
-- but I am not sure about dmarc.  I have downloaded and installed the
open-dmarc package and I have the text record I will have to put in
the zone,  but I don't know what to put in
/etc/openmarc/opendmarc.conf -- its quite a large file and I am not
sure what I really need in it.

Thanks in advance for any suggestions.




--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] problem setting up open-dmarc

[John Covici via mailop]

Hi.  I am trying to make sure my mail server is properly
authenticated, and I have spf and dkim set up -- seemingly correctly
-- but I am not sure about dmarc.  I have downloaded and installed the
open-dmarc package and I have the text record I will have to put in
the zone,  but I don't know what to put in
/etc/openmarc/opendmarc.conf -- its quite a large file and I am not
sure what I really need in it.

Thanks in advance for any suggestions.

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop