Re: [dmarc-discuss] Getting to reject, was :Re: FortiNet’s FortiMail DMARC implementation

2016-11-14 Thread John Levine via dmarc-discuss
>p= none is not just because people don't care. What he said. p=none lets you collect reports and decide what to do. In my case, the reports have told me that for all but one of the domains I manage*, nobody is forging them enough to be worth further DMARC pain. I would suggest a note saying

Re: [dmarc-discuss] FortiNet’s FortiMail DMARC implementation

2016-11-14 Thread Roland Turner via dmarc-discuss
Petr Novák wrote: > I wonder what do you guys think about it's DMARC implementation. If you > enable DMARC check in FortiMail it rejects(or performs other configured > action) any mail that fails DMARC check no matter what policy source > domain has configured. So it also rejects mails from

Re: [dmarc-discuss] FortiNet’s FortiMail DMARC implementation

2016-11-14 Thread Petr Novák via dmarc-discuss
Dne 14.11.2016 v 20:24 Steven M Jones via dmarc-discuss napsal(a): If the option were there to make those overrides I'd be more supportive, but it didn't sound like that was the case with this particular product/service. If somebody with access could clarify, I'd appreciate it. Yes this is

Re: [dmarc-discuss] Getting to reject, was :Re: FortiNet’s FortiMail DMARC implementation

2016-11-14 Thread Phil Stracchino via dmarc-discuss
On 11/14/16 14:53, Scott Kitterman via dmarc-discuss wrote: > It's also essentially impossible if you make non-trivial use of > mailing lists. Even though I've has SPF -all records for over a > decade and encourage people to reject mail purporting to be from my > domains that fail SPF, I am no

[dmarc-discuss] Getting to reject, was :Re: FortiNet’s FortiMail DMARC implementation

2016-11-14 Thread Scott Kitterman via dmarc-discuss
On November 14, 2016 2:42:42 PM EST, Terry Zink via dmarc-discuss wrote: >> Well, DMARC addresses one particular vector - we still need to find >more effective ways >> to address cousin domains, display name abuse, etc. > >I didn't mean cousin domains, I mean domains

Re: [dmarc-discuss] FortiNet’s FortiMail DMARC implementation

2016-11-14 Thread Steven M Jones via dmarc-discuss
On 11/14/2016 10:33, Terry Zink via dmarc-discuss wrote: > In my experience, domains sit on p=none for a long time, and in the meantime > a lot of other senders send email as them - most legitimate but some > malicious. This setting is designed to catch the malicious. Maybe I need to make that

Re: [dmarc-discuss] FortiNet’s FortiMail DMARC implementation

2016-11-14 Thread Terry Zink via dmarc-discuss
It's almost definitely an anti-phishing setting. In my experience, domains sit on p=none for a long time, and in the meantime a lot of other senders send email as them - most legitimate but some malicious. This setting is designed to catch the malicious. So, either (a) you rely upon DMARC

Re: [dmarc-discuss] FortiNet’s FortiMail DMARC implementation

2016-11-14 Thread Steven M Jones via dmarc-discuss
On 11/14/2016 06:49, Petr Novák via dmarc-discuss wrote: > > If you enable DMARC check in FortiMail it rejects(or performs other > configured action) any mail that fails DMARC check no matter what > policy source domain has configured. So it also rejects mails from > domains that have policy

Re: [dmarc-discuss] FortiNet’s FortiMail DMARC implementation

2016-11-14 Thread Payne, John via dmarc-discuss
> On Nov 14, 2016, at 9:49 AM, Petr Novák via dmarc-discuss > wrote: > > Hello, > > I saw that FortiNet's FortiMail is listed as a product that has a DMARC > support here: "https://dmarc.org/resources/products-and-services/; . > > I wonder what do you guys think