Re: [dmarc-discuss] please clarify

[A. Schulze via dmarc-discuss]

Roland Turner via dmarc-discuss:

That question has rather a large answer, parts of which span a  
decade of work on email authentication. It might perhaps be simpler  
to address the situation that's concerning you. Are you facing a  
specific situation for which this creates a problem?


Roland,

I do not have a specific problem. There was only a discussion on  
spamassassin-users ml about dmarc...

Thanks for your time :-)

Andreas

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] please clarify

[Roland Turner via dmarc-discuss]

Andreas Schulze wrote:

> Roland Turner via dmarc-discuss:
>
>> Yes. In all of the cases above, the Organizational Domain for both
>> RFC5322.From and the DKIM/SPF authentication is example.com,
>> consequently they match in relaxed mode. The same would be true for:
>>
>> - RFC5322.From: a.example.com
>> - DKIM or SPF authentication identifier: b.example.com
>>
>> Consideration 10.4 is exactly about what happens when independent
>> and/or potentially hostile parties have control of sub-domains.
>
> Thanks. That was new to me.
> Why was DMARC defined in that way?

That question has rather a large answer, parts of which span a decade of work 
on email authentication. It might perhaps be simpler to address the situation 
that's concerning you. Are you facing a specific situation for which this 
creates a problem?

- Roland

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] please clarify

[Roland Turner via dmarc-discuss]

Andreas Schulze wrote:

> Roland Turner via dmarc-discuss:
>
>> Yes. In all of the cases above, the Organizational Domain for both
>> RFC5322.From and the DKIM/SPF authentication is example.com,
>> consequently they match in relaxed mode. The same would be true for:
>>
>> - RFC5322.From: a.example.com
>> - DKIM or SPF authentication identifier: b.example.com
>>
>> Consideration 10.4 is exactly about what happens when independent
>> and/or potentially hostile parties have control of sub-domains.
>
> Thanks. That was new to me.
> Why was DMARC defined in that way?

That question has rather a large answer, parts of which span a decade of work 
on email authentication. It might perhaps be simpler to address the situation 
that's concerning you. Are you facing a specific situation for which this 
creates a problem?

- Roland

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] please clarify

[A. Schulze via dmarc-discuss]

Roland Turner via dmarc-discuss:

Yes. In all of the cases above, the Organizational Domain for both  
RFC5322.From and the DKIM/SPF authentication is example.com,  
consequently they match in relaxed mode. The same would be true for:


- RFC5322.From: a.example.com
- DKIM or SPF authentication identifier: b.example.com

Consideration 10.4 is exactly about what happens when independent  
and/or potentially hostile parties have control of sub-domains.


Thanks. That was new to me.
Why was DMARC defined in that way?

Andreas

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] please clarify

[Roland Turner via dmarc-discuss]

A. Schulze wrote:

> I have a question about DMARC alignments.
>
> the usual case:
>  - RFC5322.From: sub.example.com
>  - DKIM or SPF authentication identifier: example.com
>
> -> this is aligned in relax mode.
>
> But:
>  - RFC5322.From: example.com
>  - DKIM or SPF authentication identifier: sub.example.com
>
> Is this a relax alignment?
> At least https://tools.ietf.org/html/rfc7489#section-10.4 suggest it is.

Yes. In all of the cases above, the Organizational Domain for both RFC5322.From 
and the DKIM/SPF authentication is example.com, consequently they match in 
relaxed mode. The same would be true for:

- RFC5322.From: a.example.com
- DKIM or SPF authentication identifier: b.example.com

Consideration 10.4 is exactly about what happens when independent and/or 
potentially hostile parties have control of sub-domains.

- Roland
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

[dmarc-discuss] please clarify

[A. Schulze via dmarc-discuss]

Hello,



I have a question about DMARC alignments.

the usual case:
 - RFC5322.From: sub.example.com
 - DKIM or SPF authentication identifier: example.com

-> this is aligned in relax mode.

But:
 - RFC5322.From: example.com
 - DKIM or SPF authentication identifier: sub.example.com

Is this a relax alignment?
At least https://tools.ietf.org/html/rfc7489#section-10.4 suggest it is.

Thanks,
Andreas


___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Multiple SPF results in report

[Michiel van de Vis via dmarc-discuss]

Based on the data we receive at DMARCanalyzer.com we see that the source
for these 'multiple SPF record' reports is mostly Microsoft.

About 98.5% of these records are from Microsoft. The other 1.5% is from
126.com/163.com/yeah.net.

Regards,

Michiel
DMARCanalyzer.com




2016-04-04 19:03 GMT+02:00 Lugo, Dave via dmarc-discuss <
dmarc-discuss@dmarc.org>:

> Thanks, I see a need to familiarize myself with 7208…
>
> --
> Dave Lugo
> Engineer, Comcast Anti-Abuse Technologies
> Desk: 215-286-5451
>
>
> From: Franck Martin 
> Date: Monday, April 4, 2016 at 1:00 PM
> To: Dave Lugo 
> Cc: DMARC Discussion List 
>
> Subject: Re: [dmarc-discuss] Multiple SPF results in report
>
> The question, is what is the RFC5321.mailfrom is empty? The
> RFC7208.MAILFROM is never empty.
>
> https://tools.ietf.org/html/rfc7208#section-2.4
>
> SPF verifiers MUST check the "MAIL FROM" identity if a "HELO" check
>either has not been performed or has not reached a definitive policy
>result by applying the check_host() function to the "MAIL FROM"
>identity as the .
>
>[RFC5321] allows the reverse-path to be null (see Section 4.5.5 in
>[RFC5321] ).  In this 
> case, there is no explicit sender mailbox, and
>such a message can be assumed to be a notification message from the
>mail system itself.  When the reverse-path is null, this document
>defines the "MAIL FROM" identity to be the mailbox composed of the
>local-part "postmaster" and the "HELO" identity (which might or might
>not have been checked separately before).
>
>
>
> On Mon, Apr 4, 2016 at 8:59 AM, Lugo, Dave via dmarc-discuss <
> dmarc-discuss@dmarc.org> wrote:
>
>> Franck,
>>
>> What if the RFC7208.MAILFROM is empty?  I recall some questions from
>> colleagues re dmarc reporting and the spf scope (help or mailfrom).
>>
>> Thanks,
>>
>> Dave
>>
>> --
>> Dave Lugo
>> Engineer, Comcast Anti-Abuse Technologies
>> Desk: 215-286-5451
>>
>>
>> From: dmarc-discuss  on behalf of
>> Franck Martin via dmarc-discuss 
>> Reply-To: Franck Martin 
>> Date: Monday, April 4, 2016 at 11:51 AM
>> To: Maarten Oelering 
>> Cc: "n...@graafhenk.nl" , DMARC Discussion List <
>> dmarc-discuss@dmarc.org>
>> Subject: Re: [dmarc-discuss] Multiple SPF results in report
>>
>> It is a bug.
>>
>> There can only be one SPF per record. Theoretically SPF returns 2
>> results, one for the RFC7208.HELO and another one for RFC7208.MAILFROM, but
>> DMARC takes as input only RFC7208.MAILFROM, therefore only this results is
>> needed in DMARC reports.
>>
>> RFC7208.MAILFROM is not RFC5321.MailFrom, there is a subtle but important
>> difference here.
>>
>> On Mon, Apr 4, 2016 at 12:23 AM, Maarten Oelering via dmarc-discuss <
>> dmarc-discuss@dmarc.org> wrote:
>>
>>> Do you mean that in the XML you see 6  elements in one
>>>  element? Or do you mean you see 6 different  domains in
>>> the your reports?
>>>
>>> Maarten Oelering
>>> Postmastery
>>>
>>> On 4 apr. 2016, at 09:05, Nick via dmarc-discuss <
>>> dmarc-discuss@dmarc.org> wrote:
>>>
>>> I received a DMARC report with multiple SPF results. I wonder how this
>>> is possible as I only have one SPF record for my domain defined. In one
>>> report I got 6 SPF results.
>>>
>>> The only thing I could think of is some automatic forwarding service
>>> changing the return path header. Are there more usecases possible how this
>>> can happen?
>>>
>>> Thanks
>>> Nick
>>> ___
>>> dmarc-discuss mailing list
>>> dmarc-discuss@dmarc.org
>>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>>
>>> NOTE: Participating in this list means you agree to the DMARC Note Well
>>> terms (http://www.dmarc.org/note_well.html)
>>>
>>>
>>>
>>> ___
>>> dmarc-discuss mailing list
>>> dmarc-discuss@dmarc.org
>>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>>
>>> NOTE: Participating in this list means you agree to the DMARC Note Well
>>> terms (http://www.dmarc.org/note_well.html)
>>>
>>
>>
>> ___
>> dmarc-discuss mailing list
>> dmarc-discuss@dmarc.org
>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>
>> NOTE: Participating in this list means you agree to the DMARC Note Well
>> terms (http://www.dmarc.org/note_well.html)
>>
>
>
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
>
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss