Re: [dmarc-discuss] DSN from microsoftonline.com

2017-12-20 Thread Roland Turner via dmarc-discuss 

On 21/12/17 05:43, A. Schulze via dmarc-discuss wrote:


Am 20.12.2017 um 18:44 schrieb Roland Turner via dmarc-discuss:

What HELO/EHLO hostname is being presented?

I'm out of office for the next days and have no access to that data.
 From what I remember it's the hostname of the sending system, a rDNS related 
to Microsoft.

Why do you think, the EHLO is important?


SPF tests both:

 * the domain in the email address provided in MAIL FROM; and
 * the hostname provided in HELO/EHLO

in part to deal intelligently with the empty return paths used in 
automated notifications of non-delivery, delivery-status, and delivery.


I doubt that this will solve your problem, but note that your assertion 
that SPF could never been aligned wasn't supported by the information 
that you quoted.


The actual answer to your problem will therefore turn on DKIM. Have you 
explored whether the organisations whose DSNs are failing DMARC also 
have the rest of their email failing DMARC? The use of the 
${customer}.onmicrosoft.com domain to sign is consistent with domains 
for which DKIM signing hasn't been turned on. (It could also be a 
DSN-handling bug of course.)


- Roland

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] DSN from microsoftonline.com

2017-12-20 Thread Brandon Long via dmarc-discuss 
On Wed, Dec 20, 2017 at 1:48 PM A. Schulze via dmarc-discuss <
dmarc-discuss@dmarc.org> wrote:

>
>
> Am 20.12.2017 um 18:44 schrieb Roland Turner via dmarc-discuss:
> > What HELO/EHLO hostname is being presented?
>
> I'm out of office for the next days and have no access to that data.
> From what I remember it's the hostname of the sending system, a rDNS
> related to Microsoft.
>
> Why do you think, the EHLO is important?
>

For bounces (ie, empty MAIL FROM), the EHLO argument is used for the SPF
lookup, so it is technically possible for there to be a valid SPF record.

That said, I wouldn't bet on it.  I know there's still an open bug to
create the DNS SPF records for our EHLO hostnames at Google, it was just
never a high priority.  Plus, it wouldn't really help the DMARC case
because our DSN's come from @googlemail.com for some reason I was never
clear on but our EHLO hostnames are google.com.

Brandon
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] DSN from microsoftonline.com

2017-12-20 Thread A. Schulze via dmarc-discuss 


Am 20.12.2017 um 18:44 schrieb Roland Turner via dmarc-discuss:
> What HELO/EHLO hostname is being presented?

I'm out of office for the next days and have no access to that data.
>From what I remember it's the hostname of the sending system, a rDNS related 
>to Microsoft.

Why do you think, the EHLO is important?

Andreas
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] DSN from microsoftonline.com

2017-12-20 Thread Roland Turner via dmarc-discuss 

What HELO/EHLO hostname is being presented?

- Roland



On 20/12/17 21:14, A. Schulze via dmarc-discuss wrote:


Hello,

we use to send a portion of messages requesting delivery status 
notification on success.
In general DSN messages tend to not pass DMARC very often, but as we 
request DSN on success explicit

we monitor them.

Now I noticed a pattern on DSN sent from Microsoft.

RFC5321.MailFrom <>
RFC5322.From 
DKIM-Signature   d=${customer}.onmicrosoft.com

SPF could never be aligned and DKIM isn't aligned.

$ opendmarc-check microsoftonline.com
DMARC record for microsoftonline.com:
    Sample percentage: 100
    DKIM alignment: relaxed
    SPF alignment: relaxed
    Domain policy: none
    Subdomain policy: quarantine
    Aggregate report URIs:
    mailto:d...@rua.agari.com
    Failure report URIs:
    mailto:d...@ruf.agari.com

Any subdomain use p=quarantine but any DSN systematically fail.
Is this intentional?

Andreas




___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note 
Well terms (http://www.dmarc.org/note_well.html)



___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

[dmarc-discuss] DSN from microsoftonline.com

2017-12-20 Thread A. Schulze via dmarc-discuss 


Hello,

we use to send a portion of messages requesting delivery status  
notification on success.
In general DSN messages tend to not pass DMARC very often, but as we  
request DSN on success explicit

we monitor them.

Now I noticed a pattern on DSN sent from Microsoft.

RFC5321.MailFrom <>
RFC5322.From 
DKIM-Signature   d=${customer}.onmicrosoft.com

SPF could never be aligned and DKIM isn't aligned.

$ opendmarc-check microsoftonline.com
DMARC record for microsoftonline.com:
Sample percentage: 100
DKIM alignment: relaxed
SPF alignment: relaxed
Domain policy: none
Subdomain policy: quarantine
Aggregate report URIs:
mailto:d...@rua.agari.com
Failure report URIs:
mailto:d...@ruf.agari.com

Any subdomain use p=quarantine but any DSN systematically fail.
Is this intentional?

Andreas




___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

[dmarc-discuss] DMARC support on Exchange Servers and reporting back to senders

2017-12-20 Thread Ivan Kovachev via dmarc-discuss 
Hello all,

as far as I am aware, based on research, On-premise Exchange Servers do not 
support DMARC by default and third-party plugins need to be installed.

I was wondering if anyone has already done this on their exchange server and if 
they could give some suggestion on the products they have used?

Finally, I cannot find a single product that supports DMARC reporting ie. 
configure the exchange server to send aggregate reports back to the senders? 
Does anyone know if that is possible at all at the moment?


___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)