Re: [dmarc-discuss] A bit quiet?

2016-10-26 Thread Roland Turner via dmarc-discuss 
Payne, John wrote:


> Yeah, but why are they showing up in _my_ DMARC reports?
...
> Domain  MAIL FROM   DKIM domain SPF AuthDKIM Auth   Total
> akamai.com 
> oppa.com.br
>  
> oppa-com-br.20150623.gappssmtp.com
>  Pass  Pass237

oppa.com.br has a syntactically invalid SPF record, so it's odd that it's 
passing at all. You didn't show which IP address the reporter saw this stream 
coming from: were they forwarded in your environment with their DKIM signatures 
intact?

- Roland
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] mkdb.mysql or schema.mysql?

2016-10-26 Thread Juri Haberland via dmarc-discuss 
On 26.10.2016 21:29, Niklaas Baudet von Gersdorff via dmarc-discuss wrote:
> OpenDMARC, as distributed by FreeBSD, comes with two files for
> creating a database for reporting: mkdb.mysql and schema.mysql.
> Which one should I use?
> 
> I think about using the former because it seems to be newer
> (copyright is from 2013 vs. 2010), but I'm wondering why the
> older one is packaged too.

Hi Niklaas,

very good question, but it would be better asked on the opendmarc-users or
opendmarc-dev mailing list, not on the generic DMARC mailing list ;)

Currently I have no real answer, but I'll look into it.

  Juri

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

[dmarc-discuss] mkdb.mysql or schema.mysql?

2016-10-26 Thread Niklaas Baudet von Gersdorff via dmarc-discuss 
OpenDMARC, as distributed by FreeBSD, comes with two files for
creating a database for reporting: mkdb.mysql and schema.mysql.
Which one should I use?

I think about using the former because it seems to be newer
(copyright is from 2013 vs. 2010), but I'm wondering why the
older one is packaged too.

Thank you for your help.

Niklaas
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] A bit quiet?

2016-10-26 Thread Payne, John via dmarc-discuss 


On Oct 26, 2016, at 11:36 AM, Franck Martin 
> wrote:

Couple of points...

1) 
https://github.com/linkedin/dmarc-msys/blob/master/dmarc.lua#L804
This is how we detect if the email is likely to be from a mailing list. I parse 
the logs from time to time, and put exceptions in our local policy.

Awesome. I don't have a good place in our mail flow to put something like this, 
but it certainly seems like a feature request to my partners :)



2) very few lists discard DMARC protected emails on reception. So as long you 
don't post too often, you are not triggering the unsubscribe due to bounce 
function in mailman...

It's not the list discarding DMARC, I accidentally enabled enforcement inbound, 
and bounced a bunch of mail from a Google employee through an IETF mailing 
list. It's whether the ultimate recipients reject the mail as to whether or not 
we'll get unsubscribed.


3) we tell our employees to use personnal email addresses for mailing lists... 
It makes sure they are not speaking on our behalf ;)

For non-work related lists, this is fine and the way we'll likely go. For 
things that are directly work related this isn't a reasonable option for us.



4) GApps DKIM signs all the emails with 
.gappssmtp.com
 until said customer DKIM signs with its own domain (because they want all 
emails to be authenticated).

Yeah, but why are they showing up in _my_ DMARC reports?




On Tue, Oct 25, 2016 at 1:14 PM, Payne, John via dmarc-discuss 
> wrote:

> On Sep 27, 2016, at 12:23 PM, Terry Zink via dmarc-discuss 
> > wrote:
>
>> Somewhat related (to my earlier post) - are there any _enterprises_ on this 
>> list that have
>> experience or are currently attempting to either go p=reject or enforce 
>> DMARC policies inbound?
>
> I just wrote one for Microsoft: 
> https://blogs.msdn.microsoft.com/tzink/2016/09/27/how-we-moved-microsoft-com-to-a-pquarantine-dmarc-record/

This is the blog post I wanted to write :)  I'm just behind on getting to 
p=quarantine.

There are 2 things slowing me down:

1. As I just replied to Franck - enforcing inbound (which is my primary goal) - 
I need to handle mailing lists (and I don't want to wait for ARC adoption).   
So I have to figure out all the mailing lists my users are posting to so I can 
whitelist those IPs coming back unless anyone wants to share a list? :)

2. Google seems to report itself as a DMARC failing sender for unrelated 
domains to me.  This really started in earnest in March, but I'm getting 
40k-60k what seem like unrelated reports a day, for example:


Domain  MAIL FROM   DKIM domain SPF AuthDKIM Auth   Total
akamai.com 
oppa.com.br
 
oppa-com-br.20150623.gappssmtp.com
 Pass  Pass237

So that's killing my confidence on publishing p=quarantine (I can fake one 
inbound).  Are others seeing this, or am I a special snowflake?



Thanks
John
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms

Re: [dmarc-discuss] A bit quiet?

2016-10-26 Thread Franck Martin via dmarc-discuss 
Couple of points...

1) https://github.com/linkedin/dmarc-msys/blob/master/dmarc.lua#L804
This is how we detect if the email is likely to be from a mailing list. I
parse the logs from time to time, and put exceptions in our local policy.

2) very few lists discard DMARC protected emails on reception. So as long
you don't post too often, you are not triggering the unsubscribe due to
bounce function in mailman...

3) we tell our employees to use personnal email addresses for mailing
lists... It makes sure they are not speaking on our behalf ;)

4) GApps DKIM signs all the emails with .gappssmtp.com
until said customer DKIM signs with its own domain (because they want all
emails to be authenticated).



On Tue, Oct 25, 2016 at 1:14 PM, Payne, John via dmarc-discuss <
dmarc-discuss@dmarc.org> wrote:

>
> > On Sep 27, 2016, at 12:23 PM, Terry Zink via dmarc-discuss <
> dmarc-discuss@dmarc.org> wrote:
> >
> >> Somewhat related (to my earlier post) - are there any _enterprises_ on
> this list that have
> >> experience or are currently attempting to either go p=reject or enforce
> DMARC policies inbound?
> >
> > I just wrote one for Microsoft: https://blogs.msdn.microsoft.
> com/tzink/2016/09/27/how-we-moved-microsoft-com-to-a-
> pquarantine-dmarc-record/
>
> This is the blog post I wanted to write :)  I’m just behind on getting to
> p=quarantine.
>
> There are 2 things slowing me down:
>
> 1. As I just replied to Franck - enforcing inbound (which is my primary
> goal) - I need to handle mailing lists (and I don’t want to wait for ARC
> adoption).   So I have to figure out all the mailing lists my users are
> posting to so I can whitelist those IPs coming back unless anyone wants to
> share a list? :)
>
> 2. Google seems to report itself as a DMARC failing sender for unrelated
> domains to me.  This really started in earnest in March, but I’m getting
> 40k-60k what seem like unrelated reports a day, for example:
>
>
> Domain  MAIL FROM   DKIM domain SPF AuthDKIM Auth
>  Total
> akamai.com oppa.com.br oppa-com-br.20150623.gappssmtp.com Pass  Pass
> 237
>
> So that’s killing my confidence on publishing p=quarantine (I can fake one
> inbound).  Are others seeing this, or am I a special snowflake?
>
>
>
> Thanks
> John
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
>
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)