Re: [dmarc-discuss] Multiple SPF results in report

2016-04-05 Thread Michiel van de Vis via dmarc-discuss 
Based on the data we receive at DMARCanalyzer.com we see that the source
for these 'multiple SPF record' reports is mostly Microsoft.

About 98.5% of these records are from Microsoft. The other 1.5% is from
126.com/163.com/yeah.net.

Regards,

Michiel
DMARCanalyzer.com




2016-04-04 19:03 GMT+02:00 Lugo, Dave via dmarc-discuss <
dmarc-discuss@dmarc.org>:

> Thanks, I see a need to familiarize myself with 7208…
>
> --
> Dave Lugo
> Engineer, Comcast Anti-Abuse Technologies
> Desk: 215-286-5451
>
>
> From: Franck Martin <fmar...@linkedin.com>
> Date: Monday, April 4, 2016 at 1:00 PM
> To: Dave Lugo <dave_l...@cable.comcast.com>
> Cc: DMARC Discussion List <dmarc-discuss@dmarc.org>
>
> Subject: Re: [dmarc-discuss] Multiple SPF results in report
>
> The question, is what is the RFC5321.mailfrom is empty? The
> RFC7208.MAILFROM is never empty.
>
> https://tools.ietf.org/html/rfc7208#section-2.4
>
> SPF verifiers MUST check the "MAIL FROM" identity if a "HELO" check
>either has not been performed or has not reached a definitive policy
>result by applying the check_host() function to the "MAIL FROM"
>identity as the .
>
>[RFC5321] allows the reverse-path to be null (see Section 4.5.5 in
>[RFC5321] <https://tools.ietf.org/html/rfc5321#section-4.5.5>).  In this 
> case, there is no explicit sender mailbox, and
>such a message can be assumed to be a notification message from the
>mail system itself.  When the reverse-path is null, this document
>defines the "MAIL FROM" identity to be the mailbox composed of the
>local-part "postmaster" and the "HELO" identity (which might or might
>not have been checked separately before).
>
>
>
> On Mon, Apr 4, 2016 at 8:59 AM, Lugo, Dave via dmarc-discuss <
> dmarc-discuss@dmarc.org> wrote:
>
>> Franck,
>>
>> What if the RFC7208.MAILFROM is empty?  I recall some questions from
>> colleagues re dmarc reporting and the spf scope (help or mailfrom).
>>
>> Thanks,
>>
>> Dave
>>
>> --
>> Dave Lugo
>> Engineer, Comcast Anti-Abuse Technologies
>> Desk: 215-286-5451
>>
>>
>> From: dmarc-discuss <dmarc-discuss-boun...@dmarc.org> on behalf of
>> Franck Martin via dmarc-discuss <dmarc-discuss@dmarc.org>
>> Reply-To: Franck Martin <fmar...@linkedin.com>
>> Date: Monday, April 4, 2016 at 11:51 AM
>> To: Maarten Oelering <maar...@postmastery.net>
>> Cc: "n...@graafhenk.nl" <n...@graafhenk.nl>, DMARC Discussion List <
>> dmarc-discuss@dmarc.org>
>> Subject: Re: [dmarc-discuss] Multiple SPF results in report
>>
>> It is a bug.
>>
>> There can only be one SPF per record. Theoretically SPF returns 2
>> results, one for the RFC7208.HELO and another one for RFC7208.MAILFROM, but
>> DMARC takes as input only RFC7208.MAILFROM, therefore only this results is
>> needed in DMARC reports.
>>
>> RFC7208.MAILFROM is not RFC5321.MailFrom, there is a subtle but important
>> difference here.
>>
>> On Mon, Apr 4, 2016 at 12:23 AM, Maarten Oelering via dmarc-discuss <
>> dmarc-discuss@dmarc.org> wrote:
>>
>>> Do you mean that in the XML you see 6  elements in one
>>>  element? Or do you mean you see 6 different  domains in
>>> the your reports?
>>>
>>> Maarten Oelering
>>> Postmastery
>>>
>>> On 4 apr. 2016, at 09:05, Nick via dmarc-discuss <
>>> dmarc-discuss@dmarc.org> wrote:
>>>
>>> I received a DMARC report with multiple SPF results. I wonder how this
>>> is possible as I only have one SPF record for my domain defined. In one
>>> report I got 6 SPF results.
>>>
>>> The only thing I could think of is some automatic forwarding service
>>> changing the return path header. Are there more usecases possible how this
>>> can happen?
>>>
>>> Thanks
>>> Nick
>>> ___
>>> dmarc-discuss mailing list
>>> dmarc-discuss@dmarc.org
>>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>>
>>> NOTE: Participating in this list means you agree to the DMARC Note Well
>>> terms (http://www.dmarc.org/note_well.html)
>>>
>>>
>>>
>>> ___
>>> dmarc-discuss mailing list
>>> dmarc-discuss@dmarc.org
>>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>>
>>> NOTE: Participating in this list means yo

Re: [dmarc-discuss] Multiple SPF results in report

2016-04-04 Thread Franck Martin via dmarc-discuss 
The question, is what is the RFC5321.mailfrom is empty? The
RFC7208.MAILFROM is never empty.

https://tools.ietf.org/html/rfc7208#section-2.4

SPF verifiers MUST check the "MAIL FROM" identity if a "HELO" check
   either has not been performed or has not reached a definitive policy
   result by applying the check_host() function to the "MAIL FROM"
   identity as the .

   [RFC5321] allows the reverse-path to be null (see Section 4.5.5 in
   [RFC5321] <https://tools.ietf.org/html/rfc5321#section-4.5.5>).  In
this case, there is no explicit sender mailbox, and
   such a message can be assumed to be a notification message from the
   mail system itself.  When the reverse-path is null, this document
   defines the "MAIL FROM" identity to be the mailbox composed of the
   local-part "postmaster" and the "HELO" identity (which might or might
   not have been checked separately before).



On Mon, Apr 4, 2016 at 8:59 AM, Lugo, Dave via dmarc-discuss <
dmarc-discuss@dmarc.org> wrote:

> Franck,
>
> What if the RFC7208.MAILFROM is empty?  I recall some questions from
> colleagues re dmarc reporting and the spf scope (help or mailfrom).
>
> Thanks,
>
> Dave
>
> --
> Dave Lugo
> Engineer, Comcast Anti-Abuse Technologies
> Desk: 215-286-5451
>
>
> From: dmarc-discuss <dmarc-discuss-boun...@dmarc.org> on behalf of Franck
> Martin via dmarc-discuss <dmarc-discuss@dmarc.org>
> Reply-To: Franck Martin <fmar...@linkedin.com>
> Date: Monday, April 4, 2016 at 11:51 AM
> To: Maarten Oelering <maar...@postmastery.net>
> Cc: "n...@graafhenk.nl" <n...@graafhenk.nl>, DMARC Discussion List <
> dmarc-discuss@dmarc.org>
> Subject: Re: [dmarc-discuss] Multiple SPF results in report
>
> It is a bug.
>
> There can only be one SPF per record. Theoretically SPF returns 2 results,
> one for the RFC7208.HELO and another one for RFC7208.MAILFROM, but DMARC
> takes as input only RFC7208.MAILFROM, therefore only this results is needed
> in DMARC reports.
>
> RFC7208.MAILFROM is not RFC5321.MailFrom, there is a subtle but important
> difference here.
>
> On Mon, Apr 4, 2016 at 12:23 AM, Maarten Oelering via dmarc-discuss <
> dmarc-discuss@dmarc.org> wrote:
>
>> Do you mean that in the XML you see 6  elements in one
>>  element? Or do you mean you see 6 different  domains in
>> the your reports?
>>
>> Maarten Oelering
>> Postmastery
>>
>> On 4 apr. 2016, at 09:05, Nick via dmarc-discuss <dmarc-discuss@dmarc.org>
>> wrote:
>>
>> I received a DMARC report with multiple SPF results. I wonder how this is
>> possible as I only have one SPF record for my domain defined. In one report
>> I got 6 SPF results.
>>
>> The only thing I could think of is some automatic forwarding service
>> changing the return path header. Are there more usecases possible how this
>> can happen?
>>
>> Thanks
>> Nick
>> ___
>> dmarc-discuss mailing list
>> dmarc-discuss@dmarc.org
>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>
>> NOTE: Participating in this list means you agree to the DMARC Note Well
>> terms (http://www.dmarc.org/note_well.html)
>>
>>
>>
>> ___
>> dmarc-discuss mailing list
>> dmarc-discuss@dmarc.org
>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>
>> NOTE: Participating in this list means you agree to the DMARC Note Well
>> terms (http://www.dmarc.org/note_well.html)
>>
>
>
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
>
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Multiple SPF results in report

2016-04-04 Thread Lugo, Dave via dmarc-discuss 
Franck,

What if the RFC7208.MAILFROM is empty?  I recall some questions from colleagues 
re dmarc reporting and the spf scope (help or mailfrom).

Thanks,

Dave

--
Dave Lugo
Engineer, Comcast Anti-Abuse Technologies
Desk: 215-286-5451


From: dmarc-discuss 
<dmarc-discuss-boun...@dmarc.org<mailto:dmarc-discuss-boun...@dmarc.org>> on 
behalf of Franck Martin via dmarc-discuss 
<dmarc-discuss@dmarc.org<mailto:dmarc-discuss@dmarc.org>>
Reply-To: Franck Martin <fmar...@linkedin.com<mailto:fmar...@linkedin.com>>
Date: Monday, April 4, 2016 at 11:51 AM
To: Maarten Oelering <maar...@postmastery.net<mailto:maar...@postmastery.net>>
Cc: "n...@graafhenk.nl<mailto:n...@graafhenk.nl>" 
<n...@graafhenk.nl<mailto:n...@graafhenk.nl>>, DMARC Discussion List 
<dmarc-discuss@dmarc.org<mailto:dmarc-discuss@dmarc.org>>
Subject: Re: [dmarc-discuss] Multiple SPF results in report

It is a bug.

There can only be one SPF per record. Theoretically SPF returns 2 results, one 
for the RFC7208.HELO and another one for RFC7208.MAILFROM, but DMARC takes as 
input only RFC7208.MAILFROM, therefore only this results is needed in DMARC 
reports.

RFC7208.MAILFROM is not RFC5321.MailFrom, there is a subtle but important 
difference here.

On Mon, Apr 4, 2016 at 12:23 AM, Maarten Oelering via dmarc-discuss 
<dmarc-discuss@dmarc.org<mailto:dmarc-discuss@dmarc.org>> wrote:
Do you mean that in the XML you see 6  elements in one  
element? Or do you mean you see 6 different  domains in the your reports?

Maarten Oelering
Postmastery

On 4 apr. 2016, at 09:05, Nick via dmarc-discuss 
<dmarc-discuss@dmarc.org<mailto:dmarc-discuss@dmarc.org>> wrote:

I received a DMARC report with multiple SPF results. I wonder how this is 
possible as I only have one SPF record for my domain defined. In one report I 
got 6 SPF results.

The only thing I could think of is some automatic forwarding service changing 
the return path header. Are there more usecases possible how this can happen?

Thanks
Nick
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org<mailto:dmarc-discuss@dmarc.org>
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)


___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org<mailto:dmarc-discuss@dmarc.org>
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Multiple SPF results in report

2016-04-04 Thread Franck Martin via dmarc-discuss 
It is a bug.

There can only be one SPF per record. Theoretically SPF returns 2 results,
one for the RFC7208.HELO and another one for RFC7208.MAILFROM, but DMARC
takes as input only RFC7208.MAILFROM, therefore only this results is needed
in DMARC reports.

RFC7208.MAILFROM is not RFC5321.MailFrom, there is a subtle but important
difference here.

On Mon, Apr 4, 2016 at 12:23 AM, Maarten Oelering via dmarc-discuss <
dmarc-discuss@dmarc.org> wrote:

> Do you mean that in the XML you see 6  elements in one 
> element? Or do you mean you see 6 different  domains in the your
> reports?
>
> Maarten Oelering
> Postmastery
>
> On 4 apr. 2016, at 09:05, Nick via dmarc-discuss 
> wrote:
>
> I received a DMARC report with multiple SPF results. I wonder how this is
> possible as I only have one SPF record for my domain defined. In one report
> I got 6 SPF results.
>
> The only thing I could think of is some automatic forwarding service
> changing the return path header. Are there more usecases possible how this
> can happen?
>
> Thanks
> Nick
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
>
>
>
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
>
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Multiple SPF results in report

2016-04-04 Thread Maarten Oelering via dmarc-discuss 
Do you mean that in the XML you see 6  elements in one  
element? Or do you mean you see 6 different  domains in the your reports?

Maarten Oelering
Postmastery

> On 4 apr. 2016, at 09:05, Nick via dmarc-discuss  
> wrote:
> 
> I received a DMARC report with multiple SPF results. I wonder how this is 
> possible as I only have one SPF record for my domain defined. In one report I 
> got 6 SPF results.
> 
> The only thing I could think of is some automatic forwarding service changing 
> the return path header. Are there more usecases possible how this can happen?
> 
> Thanks
> Nick
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
> 
> NOTE: Participating in this list means you agree to the DMARC Note Well terms 
> (http://www.dmarc.org/note_well.html)

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

[dmarc-discuss] Multiple SPF results in report

2016-04-04 Thread Nick via dmarc-discuss 
I received a DMARC report with multiple SPF results. I wonder how this 
is possible as I only have one SPF record for my domain defined. In one 
report I got 6 SPF results.


The only thing I could think of is some automatic forwarding service 
changing the return path header. Are there more usecases possible how 
this can happen?


Thanks
Nick
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)