Hello,
in Dublin I asked $subject to numerous people. "Yes, if you could
whitelist" was the common answer.
OK, that was my job for the last weeks. Here is a summary.
OpenDMARC has the ability to send FailureReports. Usually these
Reports are sent to the Domain owner.
Franck Martin told me many times: "send them to yourself". But now, as
I do this¹), I know the value of such Reports.
Thanks, Franck!
It wasn't a big deal to classify the Reports:
o real spam / fake messages
o false positives:
- Listserver that break DKIM
- Forwarder that break DKIM
- Messages without DKIM signatures:
* dhl.com
* deutschepost.de
* kundenservice.vodafon.de
- Forwarder that strip DKIM signatures
- Delivery Status Notifications without DKIM
- Unaligned Messages:
* amazon.de ( fixed )
- Messages that trigger Bugs in $dmarc_checker
* amazon.de ( fixed )
- Messages from dedicated submission server operated by a known
organisation
- poorly written contact web pages sending on behave of aol.com for example
After a week we had a good view about the "collateral damage" we would
produce if we honor p=reject.
We whitelisted²) some Listserver, Forwarder and submission servers. Not more.
Amazon fixed the alignment issue within three days - well done!
A patch for opendmarc is proposed
(http://sf.net/p/opendmarc/tickets/131/#4771).
Now we wait, out customers complain "I miss my messages" - But they don't!
Looking at the stats open any other view:
10% of my inbound messages are logged as "dmarc=pass" 0.5% as "dmarc=fail"
These 0.5% are visible to us by the Failure Reporting I just described.
Over 90% of the FailureReports are true Hits. Messages, that should be
rejected.
-> So only 0.05% of my inbound volume is false positive dmarc=fail.
Anyway: we now reject messages that fail DMARC for domains that
announce p=reject.
It does not hurt.
I guess the fact that DMARC aggregate Reporting does not occur in
Germany/Europe
is one reason that some sender still send messages not passing DMARC.
The fault is just invisible to them.
But now we have the statement from ECO. So I started a next round with
our lawyer/data security department.
Andreas
¹) How to configure opendmarc to sent failure reports to myself:
opendmarc.conf
FailureReports yes
FailureReportsBcc yes
ReportCommand /path/to/sendmail
-fsender_address@mymailhost recipient@mydomain
²) whitelisting hosts
opendmarc.conf
IgnoreHosts /path/to/ignorehosts.txt
ignorehosts.txt
# hostname, ipv4, ipv6 or ipv4/mask are verified to work
mail.ietf.org
_______________________________________________
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)