Re: [dmarc-discuss] Multiple SPF results in report

2016-04-04 Thread Franck Martin via dmarc-discuss 
The question, is what is the RFC5321.mailfrom is empty? The
RFC7208.MAILFROM is never empty.

https://tools.ietf.org/html/rfc7208#section-2.4

SPF verifiers MUST check the "MAIL FROM" identity if a "HELO" check
   either has not been performed or has not reached a definitive policy
   result by applying the check_host() function to the "MAIL FROM"
   identity as the .

   [RFC5321] allows the reverse-path to be null (see Section 4.5.5 in
   [RFC5321] ).  In
this case, there is no explicit sender mailbox, and
   such a message can be assumed to be a notification message from the
   mail system itself.  When the reverse-path is null, this document
   defines the "MAIL FROM" identity to be the mailbox composed of the
   local-part "postmaster" and the "HELO" identity (which might or might
   not have been checked separately before).



On Mon, Apr 4, 2016 at 8:59 AM, Lugo, Dave via dmarc-discuss <
dmarc-discuss@dmarc.org> wrote:

> Franck,
>
> What if the RFC7208.MAILFROM is empty?  I recall some questions from
> colleagues re dmarc reporting and the spf scope (help or mailfrom).
>
> Thanks,
>
> Dave
>
> --
> Dave Lugo
> Engineer, Comcast Anti-Abuse Technologies
> Desk: 215-286-5451
>
>
> From: dmarc-discuss  on behalf of Franck
> Martin via dmarc-discuss 
> Reply-To: Franck Martin 
> Date: Monday, April 4, 2016 at 11:51 AM
> To: Maarten Oelering 
> Cc: "n...@graafhenk.nl" , DMARC Discussion List <
> dmarc-discuss@dmarc.org>
> Subject: Re: [dmarc-discuss] Multiple SPF results in report
>
> It is a bug.
>
> There can only be one SPF per record. Theoretically SPF returns 2 results,
> one for the RFC7208.HELO and another one for RFC7208.MAILFROM, but DMARC
> takes as input only RFC7208.MAILFROM, therefore only this results is needed
> in DMARC reports.
>
> RFC7208.MAILFROM is not RFC5321.MailFrom, there is a subtle but important
> difference here.
>
> On Mon, Apr 4, 2016 at 12:23 AM, Maarten Oelering via dmarc-discuss <
> dmarc-discuss@dmarc.org> wrote:
>
>> Do you mean that in the XML you see 6  elements in one
>>  element? Or do you mean you see 6 different  domains in
>> the your reports?
>>
>> Maarten Oelering
>> Postmastery
>>
>> On 4 apr. 2016, at 09:05, Nick via dmarc-discuss 
>> wrote:
>>
>> I received a DMARC report with multiple SPF results. I wonder how this is
>> possible as I only have one SPF record for my domain defined. In one report
>> I got 6 SPF results.
>>
>> The only thing I could think of is some automatic forwarding service
>> changing the return path header. Are there more usecases possible how this
>> can happen?
>>
>> Thanks
>> Nick
>> ___
>> dmarc-discuss mailing list
>> dmarc-discuss@dmarc.org
>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>
>> NOTE: Participating in this list means you agree to the DMARC Note Well
>> terms (http://www.dmarc.org/note_well.html)
>>
>>
>>
>> ___
>> dmarc-discuss mailing list
>> dmarc-discuss@dmarc.org
>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>
>> NOTE: Participating in this list means you agree to the DMARC Note Well
>> terms (http://www.dmarc.org/note_well.html)
>>
>
>
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
>
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Multiple SPF results in report

2016-04-04 Thread Lugo, Dave via dmarc-discuss 
Franck,

What if the RFC7208.MAILFROM is empty?  I recall some questions from colleagues 
re dmarc reporting and the spf scope (help or mailfrom).

Thanks,

Dave

--
Dave Lugo
Engineer, Comcast Anti-Abuse Technologies
Desk: 215-286-5451


From: dmarc-discuss 
> on 
behalf of Franck Martin via dmarc-discuss 
>
Reply-To: Franck Martin >
Date: Monday, April 4, 2016 at 11:51 AM
To: Maarten Oelering >
Cc: "n...@graafhenk.nl" 
>, DMARC Discussion List 
>
Subject: Re: [dmarc-discuss] Multiple SPF results in report

It is a bug.

There can only be one SPF per record. Theoretically SPF returns 2 results, one 
for the RFC7208.HELO and another one for RFC7208.MAILFROM, but DMARC takes as 
input only RFC7208.MAILFROM, therefore only this results is needed in DMARC 
reports.

RFC7208.MAILFROM is not RFC5321.MailFrom, there is a subtle but important 
difference here.

On Mon, Apr 4, 2016 at 12:23 AM, Maarten Oelering via dmarc-discuss 
> wrote:
Do you mean that in the XML you see 6  elements in one  
element? Or do you mean you see 6 different  domains in the your reports?

Maarten Oelering
Postmastery

On 4 apr. 2016, at 09:05, Nick via dmarc-discuss 
> wrote:

I received a DMARC report with multiple SPF results. I wonder how this is 
possible as I only have one SPF record for my domain defined. In one report I 
got 6 SPF results.

The only thing I could think of is some automatic forwarding service changing 
the return path header. Are there more usecases possible how this can happen?

Thanks
Nick
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)


___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Multiple SPF results in report

2016-04-04 Thread Franck Martin via dmarc-discuss 
It is a bug.

There can only be one SPF per record. Theoretically SPF returns 2 results,
one for the RFC7208.HELO and another one for RFC7208.MAILFROM, but DMARC
takes as input only RFC7208.MAILFROM, therefore only this results is needed
in DMARC reports.

RFC7208.MAILFROM is not RFC5321.MailFrom, there is a subtle but important
difference here.

On Mon, Apr 4, 2016 at 12:23 AM, Maarten Oelering via dmarc-discuss <
dmarc-discuss@dmarc.org> wrote:

> Do you mean that in the XML you see 6  elements in one 
> element? Or do you mean you see 6 different  domains in the your
> reports?
>
> Maarten Oelering
> Postmastery
>
> On 4 apr. 2016, at 09:05, Nick via dmarc-discuss 
> wrote:
>
> I received a DMARC report with multiple SPF results. I wonder how this is
> possible as I only have one SPF record for my domain defined. In one report
> I got 6 SPF results.
>
> The only thing I could think of is some automatic forwarding service
> changing the return path header. Are there more usecases possible how this
> can happen?
>
> Thanks
> Nick
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
>
>
>
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
>
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] DMARC configuration when using spam solution in Front of O365

2016-04-04 Thread Duggan, Anita via dmarc-discuss 
Have attached the results from an email that is in the DMARC mail box that we 
set up to track messages.  We currently have set p=none as we review the mail 
being captured

This email is from (Timzone.com) which is another O365 tenant that we own, it 
has SPF records but no DKIM or DMARC.   All of their inbound and outbound mail 
also flows through Symantec.cloud.  Timzone.com still has their disclaimer 
being applied by Symantec.

RBI.com also has all emails go through Symantc.cloud but  Dmarc and Dkim have 
been applied on O365, the disclaimer is on O365.

Thanks for your assistance.

Anita



From: Maarten Oelering [mailto:maar...@postmastery.net]
Sent: Saturday, April 02, 2016 3:23 AM
To: Duggan, Anita 
Cc: dmarc-discuss@dmarc.org
Subject: Re: [dmarc-discuss] DMARC configuration when using spam solution in 
Front of O365

If you can share the full email header of a test mail as it is received, that 
would help. For example from a Gmail account. Based on that it's easy to check 
SPF/DKIM validation, alignment, etc. You can also use a service like 
emailaudit.com to check all DMARC prerequisites.

Maarten
Postmastery

On Friday, 1 April 2016, Duggan, Anita via dmarc-discuss 
> wrote:
Good Morning,

We are in the process of setting up DKIM and DMARC for our domains.   Our 
inbound and outbound email flow goes from O365 to a spam provider and then to 
the internet and vice versa.   We have implemented DKIM / DMARC on O365, using 
the 2 cname records, and have DMARC set to take no action at this time.  
However, I am unclear what action needs to be taken to address that the last 
hop before our mail goes out to the internet is our spam provider.  Any 
assistance would be greatly appreciated


Thanks,

ADuggan
adug...@rbi.com


The information contained in this message may be proprietary, confidential or 
trade secret and may be legally privileged. The message is intended solely for 
the addressee(s). If you are not the intended recipient, you are hereby 
notified that any use, dissemination, disclosure or reproduction is strictly 
prohibited and may be a violation of law. If you are not the intended 
recipient, please contact the sender by return e-mail and destroy all copies of 
the original message.


Les renseignements contenus dans ce message peuvent être de propriété 
exclusive, de nature privilégiée, confidentiels ou relever du secret 
commercial. Ce message est strictement réservé à l’usage de son ou ses 
destinataires. Si vous n’êtes pas le destinataire prévu, vous êtes, par la 
présente, informé que toute utilisation, distribution, divulgation ou 
reproduction est strictement interdite et peut constituer une infraction à la 
loi. Si vous n’êtes pas le destinataire prévu, veuillez communiquer avec 
l’expéditeur par courriel et détruire tous les exemplaires du message original.

The information contained in this message may be proprietary, confidential or 
trade secret and may be legally privileged. The message is intended solely for 
the addressee(s). If you are not the intended recipient, you are hereby 
notified that any use, dissemination, disclosure or reproduction is strictly 
prohibited and may be a violation of law. If you are not the intended 
recipient, please contact the sender by return e-mail and destroy all copies of 
the original message.


Les renseignements contenus dans ce message peuvent être de propriété 
exclusive, de nature privilégiée, confidentiels ou relever du secret 
commercial. Ce message est strictement réservé à l’usage de son ou ses 
destinataires. Si vous n’êtes pas le destinataire prévu, vous êtes, par la 
présente, informé que toute utilisation, distribution, divulgation ou 
reproduction est strictement interdite et peut constituer une infraction à la 
loi. Si vous n’êtes pas le destinataire prévu, veuillez communiquer avec 
l’expéditeur par courriel et détruire tous les exemplaires du message original.


ATT1
Description: ATT1


eml
Description: eml
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Multiple SPF results in report

2016-04-04 Thread Maarten Oelering via dmarc-discuss 
Do you mean that in the XML you see 6  elements in one  
element? Or do you mean you see 6 different  domains in the your reports?

Maarten Oelering
Postmastery

> On 4 apr. 2016, at 09:05, Nick via dmarc-discuss  
> wrote:
> 
> I received a DMARC report with multiple SPF results. I wonder how this is 
> possible as I only have one SPF record for my domain defined. In one report I 
> got 6 SPF results.
> 
> The only thing I could think of is some automatic forwarding service changing 
> the return path header. Are there more usecases possible how this can happen?
> 
> Thanks
> Nick
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
> 
> NOTE: Participating in this list means you agree to the DMARC Note Well terms 
> (http://www.dmarc.org/note_well.html)

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

[dmarc-discuss] Multiple SPF results in report

2016-04-04 Thread Nick via dmarc-discuss 
I received a DMARC report with multiple SPF results. I wonder how this 
is possible as I only have one SPF record for my domain defined. In one 
report I got 6 SPF results.


The only thing I could think of is some automatic forwarding service 
changing the return path header. Are there more usecases possible how 
this can happen?


Thanks
Nick
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)