Re: [dmarc-discuss] DMARC fails for "on behalf of" messages

DKIM only checks signature integrity, it does not check who signs the message. Any valid DKIM signature with any correctly published DKIM selector/key passes DKIM validation if signed content is not altered. You can also consider signing message with both senderdomain.aaa and fromdomain.bbb.

Re: [dmarc-discuss] DMARC fails for "on behalf of" messages

DMARC checks SPF and DKIM alignmen with From address. That is, in order DKIM to be accepted for DMARC, DKIM domain must align with From domain. In your case, fromdomain.bbb  domain should be used for DKIM signature. Currently, SPF and DKIM pass, but SPF and DKIM alignment with From address fail.

Re: [dmarc-discuss] Weird DMARC

I guess it's because SPF policy requires helo value to validate against "include:%{i}._ip.%{h}._ehlo.%{d}._spf.valigov.email" and helo value is not logged by Google in Received-SPF, so mxtoolbox fails to validate it. 15.12.2018 13:00, Steve Atkins via dmarc-discuss пишет: > >> On Dec 14, 2018,

Re: [dmarc-discuss] DMARC oddity

Yes, it makes sense. Latest versions of mailing list software (Sympa since 6.2.6, Dada Mail since 7.0.2, Mailman since 2.1.16, GroupServer since 14.06) support From rewrite feature for domains with restrictive DMARC, it makes mailing list software compatible with DMARC. It may be required to

Re: [dmarc-discuss] DMARC oddity

You see envelope-from (aka RFC 5321.mailfrom) address in logs, while DMARC checks policy against From: header (RFC 5322.From), envelope-from and From: may differ. 26.11.2018 22:17, Dennis Burgess via dmarc-discuss пишет: > > Got an odd one, getting e-mails from another domain rejected based on >

Re: [dmarc-discuss] RUA vs RUF reports

Aggregated report contain all information, including SPF/DKIM/DMARC failures, but it doesn't contain forensic information (e.g. failed message Subject). Aggregated reports are supported by almost all large ESPs, so, if you have some troubles you will probably see it in aggregated report.

Re: [dmarc-discuss] DMARC newbie, seems to work, so why this report?

Hello, most probably, the message received by Yahoo is NDR or DSN message generated by your host. In this case, envelope-from address is empty and SPF is checked against HELO               mail.mydomain.tld         none       From: probably has something like From:

Re: [dmarc-discuss] DMARC report to external domain

You do not need to create additional DMARC records for subdomains for either DMARC policy or DMARC reporting, unless you want this subdomain to have different policy. Unlike SPF, DMARC acts for subdomains by default. 05.03.2018 10:37, boonhai@infineon.com пишет: > > Hi Randal, > >   > > If

Re: [dmarc-discuss] DMARC report to external domain

It's incorrect. If you want reports for domain1.com are sent to e-mail address in domain2.com, domain2.com must publish a record *domain1.com._report._dmarc.domain2.com. TXT "v=DMARC1" *to indicate it's willing to receive the reports for domain1.com* * 21.02.2018 12:51, Randal Pinto via

Re: [dmarc-discuss] How to block fake forwarders?

Typical scenario is message is forwarded by recognized but DMARC-unaware forwarder. There are still many large mailbox providers and even more enterprise mail system where DMARC is not implemented. Probably, you did everything you can, so just accept some messages are not DMARC-blocked, because

Re: [dmarc-discuss] New to DMARC need help

According to DMARC standard, rua address must be either aligned with domain (that is, to be located in bloomingdales.com) or publish permissive DMARC record for reports, that is bloomingdales.com._report._dmarc.macys.com in your case. So you have 2 options: 1. Publish TXT record

Re: [dmarc-discuss] DMARC forensic reporting options

I can't say for all DMARC implementers, but in our case concerns about (not) sending forensic reports are security and legal issues, not the size of message body. According to regulations, technical information about message, including not only headers, but also log records, BTW, is considered as

[dmarc-discuss] Implementing DMARC to Protect the Corporate Domain From Spoofing / Technical Recommendations for Email Senders

Hello, few more BCPs. We were trying to be short and gather different tips into a single point, because nobody reads long manuals before it's too late. Technical Recommendations for Email Senders

[dmarc-discuss] (Why) Mail.Ru Implements a Strict DMARC Policy

Hello, we are translating to English a hub of technical articles previously published in Russian. This one is (Why) Mail.Ru Implements a Strict DMARC Policy https://team.mail.ru/why-mail-ru-implements-a-strict-dmarc-policy/

Re: [dmarc-discuss] gmail's DMARC check doesn't respect subdomain policy

It may be because a.prnk.cz doesn't has it's own MX record, so GMail assumes somebody is trying to spoof non-mail A records from domain prnk.cz and uses DMARC for this domain. Try to add MX. 08.12.2016 14:59, Petr Novák via dmarc-discuss пишет: > Well I just tried to make the email as simple as

Re: [dmarc-discuss] exegesis: pass and fail together

There can be 2 DKIM signatures, if e.g. message is forwarded by user. First one from original messages and it probably fails to verify and second one for forwarded messages and it passes. Thomas Krichel via dmarc-discuss пишет: > Hi gang, > > I am new to DMARC. Google have sent me a report

[dmarc-discuss] DMARC policy change for mail.ru

Hello list, planned dates for p=reject policy April,25 2016: bk.ru May, 18 2016: mail.ru list.ru inbox.ru -- Vladimir Dubrovin @Mail.Ru ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss

Re: [dmarc-discuss] is that *really* valid

gt; an email address within <>. Mailboxes are separated by comas ,. > > On Wed, Apr 6, 2016 at 8:55 AM, Vladimir Dubrovin via dmarc-discuss > <dmarc-discuss@dmarc.org <mailto:dmarc-discuss@dmarc.org>> wrote: > > > This From contains 2 mailboxes (Lastname and u

Re: [dmarc-discuss] is that *really* valid

This From contains 2 mailboxes (Lastname and u...@yahoo.com). This is valid RFC 5322 syntax from= "From:" mailbox-list CRLF ... mailbox-list= (mailbox *("," mailbox)) / obs-mbox-list but it's invalid for DMARC RFC 7489 and it's not covered by DMARC specification:

Re: [dmarc-discuss] DMARC policy change for mail.ua / corp.mail.ru

In different words, you delay DMARC support until Google set p=reject for gmail.com. Larry Finch via dmarc-discuss пишет: > >> On Mar 28, 2016, at 8:11 AM, Ben Greenfield via dmarc-discuss >> > wrote: >> >> Hey All, >> >> Forgive this

Re: [dmarc-discuss] DMARC policy change for mail.ua / corp.mail.ru

te >> may be changed based on results and feedback we'll get from >> implementing strict policy for smaller domains. >> >> Udeme Ukutt пишет: >>> Thanks Vladimir. Pls what about mail.ru <http://mail.ru/>? >>> >>>

Re: [dmarc-discuss] DMARC policy change for mail.ua / corp.mail.ru

Pls what about mail.ru <http://mail.ru>? > > Udeme > > On Friday, March 25, 2016, Vladimir Dubrovin via dmarc-discuss > <dmarc-discuss@dmarc.org <mailto:dmarc-discuss@dmarc.org>> wrote: > > > Hello list. > > Mail.Ru scheduled switchi

[dmarc-discuss] DMARC policy change for mail.ua / corp.mail.ru

Hello list. Mail.Ru scheduled switching to p=reject DMARC policy on March, 29 2016 for mail.ua corp.mail.ru domains. Please adjust your configuration, if required. -- Vladimir Dubrovin @Mail.Ru ___ dmarc-discuss mailing list

[dmarc-discuss] reject DMARC policy for my.com domain starting March, 1 2016

Hello, list. Starting March, 1 2016 Mail.Ru begins to implement restrictive DMARC policy for public mailbox domains with my.com being the first domain to publish p=reject policy. Please make sure to update configuration if you need special handling for DMARC-restrictive domains. In future,

Re: [dmarc-discuss] Two DKIM sections in the DMARC report from Google

There is also more simple scenario if there is an internal mailing list within the same domain. Message is signed by sender and by mailing list software. First signature is broken because message is modified. It's exactly what happens on this mailing list. If somebody writes to

Re: [dmarc-discuss] Two DKIM sections in the DMARC report from Google

May be, you have two DKIM-Signature fields in the message for some cases, e.g. redirected/auto-forwarded messages? The Venus Project via dmarc-discuss пишет: > Hi, > > I see something strange in the DMARC reports that we're getting from > Google. Here is the relevant section from the XML file:

[dmarc-discuss] Attacks against DMARC-incompatible mailing lists via forensic reports

Not sure if it was already discussed: I believe there is a serios security flaw in DMARC forensic reports feature. Problem description: It's possible to obtain subscribers list. If list has individual unsubscribe links or direct list-unsubscribe header, authentication token can be stealed.

Re: [dmarc-discuss] DMARC+DKIM flow: signed message content tampering

Murray S. Kucherawy пишет: Hi Vladimir, Thanks for putting all this thought into your research. I hope you stick around as all of this develops. On Tue, Jul 1, 2014 at 5:53 AM, Vladimir Dubrovin via dmarc-discuss dmarc-discuss@dmarc.org mailto:dmarc-discuss@dmarc.org wrote: 1. DKIM