Re: [dmarc-discuss] DMARC newbie, seems to work, so why this report?

2018-05-18 Thread Roland Turner via dmarc-discuss 

Gerben,

Note that the HELO string is only ever processed for DMARC if MAIL FROM 
is <> and, even then, not all implementations process it at all (it's 
dependent upon the behaviour of the underlying SPF implementation).


The  tag is telling you that the return path is 
{something}@mail.mydomain.tld [1]


dumbledore.mydomain.tld tells you that the 
From: header contains {something}@dumbledore.mydomain.tld, not the HELO 
string or MAIL FROM domain.


Generally this means that the program that generated the message used 
this domain and your MTA simply passed it through.


- Roland

1: or the return path is <> and the HELO string is mail.mydomain.tld, 
and Yahoo!'s SPF implementation reports that to DMARC




On 18/05/18 21:39, Gerben Wierda via dmarc-discuss wrote:
I’m setting up DMARC for my mail server. I tried sending a mail to an 
account on the icloud.com  domain (which reports 
DMARC) and there I see:


Received-Spf: pass (mr21p00im-spfmilter004.me.com 
: domain of myn...@mydomain.tld 
 designates XXX.XXX.XXX.XXX as permitted 
sender) receiver=mr21p00im-spfmilter004.me.com 
; client-ip=XXX.XXX.XXX.XXX; 
helo=mail.mydomain.tld; envelope-from=myn...@mydomain.tld 


X-Dmarc-Info: pass=pass; dmarc-policy=none; s=r1; d=r0
X-Dmarc-Policy: 
v=DMARC1;p=none;sp=quarantine;pct=100;rua=mailto:dm...@mydomain.tld,mailto:re+vghcolsq...@dmarc.postmarkapp.com
Received: from mr11p00im-smtpin012.mac.com 
 ([17.110.69.200]) by 
ms20524.mac.com  (Oracle Communications 
Messaging Server 8.0.1.3.20170906 64bit (built Sep  6 2017)) with 
ESMTP id <0p8x00kcde2dm...@ms20524.mac.com 
> for myn...@icloud.com 
; Fri, 18 May 2018 13:13:25 + (GMT)
Received: from mail.mydomain.tld (mail.mydomain.tld [XXX.XXX.XXX.XXX]) 
by mr11p00im-smtpin012.me.com  
(Oracle Communications Messaging Server 8.0.1.2.20170607 64bit (built 
Jun  7 2017)) with ESMTPS id 
<0p8x00h3ve2al...@mr11p00im-smtpin012.me.com 
> for 
myn...@icloud.com  (ORCPT myn...@icloud.com 
); Fri, 18 May 2018 13:13:24 + (GMT)
Received: from localhost (localhost [127.0.0.1])by mail.mydomain.tld 
(Postfix) with ESMTP id 57F0B261CB53for >; Fri, 18 May 2018 15:13:21 +0200 (CEST)
Received: from mail.mydomain.tld ([127.0.0.1]) by localhost 
(dumbledore.mydomain.tld [127.0.0.1]) (amavisd-new, port 10024) with 
ESMTP id b6L6g5ttGPiH for >;Fri, 18 May 2018 15:13:19 +0200 (CEST)
Received: from [192.168.169.103] (d4b27fea.static.ziggozakelijk.nl 
 [212.178.127.234])by 
mail.mydomain.tld (Postfix) with ESMTPSA id 057A3261CB45for 
>; Fri, 18 May 2018 
15:13:18 +0200 (CEST)


But I also got an aggregate report from Yahoo that suggests something 
is wrong:





Yahoo! Inc.
postmas...@dmarc.yahoo.com 


1526605741.475970

1526515200
1526601599 



mydomain.tld
r
r
none
100



XXX.XXX.XXX.XXX
1

quarantine
fail
fail



dumbledore.mydomain.tld




neutral


mail.mydomain.tld
none





This seems to suggest that Yahoo received an email from my MTA at IP 
address XXX.XXX.XXX.XXX (which is the correct IP of mail.mydomain.tld) 
but the header was dumbledore.mydomain.tld. Is that correct? That is 
weird, because my mail server is set to use 'helo mail.mydomain.tld'. 
So, apparently, it seems some program on my server is trying to send 
mail to a yahoo MTA bypassing my mail server, correct? If so, it is an 
unexpected catch. But I need to know if it is correct.


Thanks in advance

Gerben


___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)



___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] DMARC newbie, seems to work, so why this report?

2018-05-18 Thread Vladimir Dubrovin via dmarc-discuss 

Hello,

most probably, the message received by Yahoo is NDR or DSN message
generated by your host. In this case, envelope-from address is empty and
SPF is checked against HELO

      
        mail.mydomain.tld
        none
      

From: probably has something like

From: mailer-dae...@dumbledore.mydomin.tld.

RFC 7208 requires you to place SPF record for domain used in HELO
exectly for this case. Adding

mail.mydomain.tld. TXT "v=spf1 a -all"

will fix the issue.

18.05.2018 16:39, Gerben Wierda via dmarc-discuss пишет:
> I’m setting up DMARC for my mail server. I tried sending a mail to an
> account on the icloud.com  domain (which reports
> DMARC) and there I see:
>
> Received-Spf: pass (mr21p00im-spfmilter004.me.com
> : domain of myn...@mydomain.tld
>  designates XXX.XXX.XXX.XXX as permitted
> sender) receiver=mr21p00im-spfmilter004.me.com
> ; client-ip=XXX.XXX.XXX.XXX;
> helo=mail.mydomain.tld; envelope-from=myn...@mydomain.tld
> 
> X-Dmarc-Info: pass=pass; dmarc-policy=none; s=r1; d=r0
> X-Dmarc-Policy:
> v=DMARC1;p=none;sp=quarantine;pct=100;rua=mailto:dm...@mydomain.tld,mailto:re+vghcolsq...@dmarc.postmarkapp.com
> Received: from mr11p00im-smtpin012.mac.com
>  ([17.110.69.200]) by
> ms20524.mac.com  (Oracle Communications
> Messaging Server 8.0.1.3.20170906 64bit (built Sep  6 2017)) with
> ESMTP id <0p8x00kcde2dm...@ms20524.mac.com
> > for myn...@icloud.com
> ; Fri, 18 May 2018 13:13:25 + (GMT)
> Received: from mail.mydomain.tld (mail.mydomain.tld [XXX.XXX.XXX.XXX])
> by mr11p00im-smtpin012.me.com 
> (Oracle Communications Messaging Server 8.0.1.2.20170607 64bit (built
> Jun  7 2017)) with ESMTPS id
> <0p8x00h3ve2al...@mr11p00im-smtpin012.me.com
> > for
> myn...@icloud.com  (ORCPT myn...@icloud.com
> ); Fri, 18 May 2018 13:13:24 + (GMT)
> Received: from localhost (localhost [127.0.0.1])by mail.mydomain.tld
> (Postfix) with ESMTP id 57F0B261CB53for  >; Fri, 18 May 2018 15:13:21 +0200 (CEST)
> Received: from mail.mydomain.tld ([127.0.0.1]) by localhost
> (dumbledore.mydomain.tld [127.0.0.1]) (amavisd-new, port 10024) with
> ESMTP id b6L6g5ttGPiH for  >;Fri, 18 May 2018 15:13:19 +0200 (CEST)
> Received: from [192.168.169.103] (d4b27fea.static.ziggozakelijk.nl
>  [212.178.127.234])by
> mail.mydomain.tld (Postfix) with ESMTPSA id 057A3261CB45for
> >; Fri, 18 May 2018
> 15:13:18 +0200 (CEST)
>
> But I also got an aggregate report from Yahoo that suggests something
> is wrong:
>
> 
> 
>   
>     Yahoo! Inc.
>     postmas...@dmarc.yahoo.com
> 
>     1526605741.475970
>     
>       1526515200
>       1526601599 
>     
>   
>   
>     mydomain.tld
>     r
>     r
>     none
>     100
>   
>   
>     
>       XXX.XXX.XXX.XXX
>       1
>       
>         quarantine
>         fail
>         fail
>       
>     
>     
>       dumbledore.mydomain.tld
>     
>     
>       
>         
>         neutral
>       
>       
>         mail.mydomain.tld
>         none
>       
>     
>   
> 
>
> This seems to suggest that Yahoo received an email from my MTA at IP
> address XXX.XXX.XXX.XXX (which is the correct IP of mail.mydomain.tld)
> but the header was dumbledore.mydomain.tld. Is that correct? That is
> weird, because my mail server is set to use 'helo mail.mydomain.tld'.
> So, apparently, it seems some program on my server is trying to send
> mail to a yahoo MTA bypassing my mail server, correct? If so, it is an
> unexpected catch. But I need to know if it is correct.
>
> Thanks in advance
>
> Gerben
>
>
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well terms 
> (http://www.dmarc.org/note_well.html)


-- 
Vladimir Dubrovin
@Mail.Ru

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

[dmarc-discuss] DMARC newbie, seems to work, so why this report?

2018-05-18 Thread Gerben Wierda via dmarc-discuss 
I’m setting up DMARC for my mail server. I tried sending a mail to an account 
on the icloud.com domain (which reports DMARC) and there I see:

Received-Spf: pass (mr21p00im-spfmilter004.me.com: domain of 
myn...@mydomain.tld designates XXX.XXX.XXX.XXX as permitted sender) 
receiver=mr21p00im-spfmilter004.me.com; client-ip=XXX.XXX.XXX.XXX; 
helo=mail.mydomain.tld; envelope-from=myn...@mydomain.tld
X-Dmarc-Info: pass=pass; dmarc-policy=none; s=r1; d=r0
X-Dmarc-Policy: 
v=DMARC1;p=none;sp=quarantine;pct=100;rua=mailto:dm...@mydomain.tld,mailto:re+vghcolsq...@dmarc.postmarkapp.com
Received: from mr11p00im-smtpin012.mac.com ([17.110.69.200]) by ms20524.mac.com 
(Oracle Communications Messaging Server 8.0.1.3.20170906 64bit (built Sep  6 
2017)) with ESMTP id <0p8x00kcde2dm...@ms20524.mac.com> for myn...@icloud.com; 
Fri, 18 May 2018 13:13:25 + (GMT)
Received: from mail.mydomain.tld (mail.mydomain.tld [XXX.XXX.XXX.XXX]) by 
mr11p00im-smtpin012.me.com (Oracle Communications Messaging Server 
8.0.1.2.20170607 64bit (built Jun  7 2017)) with ESMTPS id 
<0p8x00h3ve2al...@mr11p00im-smtpin012.me.com> for myn...@icloud.com (ORCPT 
myn...@icloud.com); Fri, 18 May 2018 13:13:24 + (GMT)
Received: from localhost (localhost [127.0.0.1])by mail.mydomain.tld 
(Postfix) with ESMTP id 57F0B261CB53   for ; Fri, 18 May 
2018 15:13:21 +0200 (CEST)
Received: from mail.mydomain.tld ([127.0.0.1]) by localhost 
(dumbledore.mydomain.tld [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 
b6L6g5ttGPiH for ; Fri, 18 May 2018 15:13:19 +0200 (CEST)
Received: from [192.168.169.103] (d4b27fea.static.ziggozakelijk.nl 
[212.178.127.234])   by mail.mydomain.tld (Postfix) with ESMTPSA id 
057A3261CB45 for ; Fri, 18 May 2018 15:13:18 +0200 (CEST)

But I also got an aggregate report from Yahoo that suggests something is wrong:

   
  
   
Yahoo! Inc.
postmas...@dmarc.yahoo.com   
1526605741.475970

  1526515200 
  1526601599 
   
  
  
mydomain.tld   
r
r  
none 
100  
 

   
  XXX.XXX.XXX.XXX
  1  
  
quarantine   
fail   
fail 
 
  
   
  dumbledore.mydomain.tld
  
  
  
   
neutral
 
   
mail.mydomain.tld  
none   
  
 
   
 

This seems to suggest that Yahoo received an email from my MTA at IP address 
XXX.XXX.XXX.XXX (which is the correct IP of mail.mydomain.tld) but the header 
was dumbledore.mydomain.tld. Is that correct? That is weird, because my mail 
server is set to use 'helo mail.mydomain.tld'. So, apparently, it seems some 
program on my server is trying to send mail to a yahoo MTA bypassing my mail 
server, correct? If so, it is an unexpected catch. But I need to know if it is 
correct.

Thanks in advance

Gerben___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)