Re: [dmarc-discuss] DSN from microsoftonline.com
On 21/12/17 05:43, A. Schulze via dmarc-discuss wrote: Am 20.12.2017 um 18:44 schrieb Roland Turner via dmarc-discuss: What HELO/EHLO hostname is being presented? I'm out of office for the next days and have no access to that data. From what I remember it's the hostname of the sending system, a rDNS related to Microsoft. Why do you think, the EHLO is important? SPF tests both: * the domain in the email address provided in MAIL FROM; and * the hostname provided in HELO/EHLO in part to deal intelligently with the empty return paths used in automated notifications of non-delivery, delivery-status, and delivery. I doubt that this will solve your problem, but note that your assertion that SPF could never been aligned wasn't supported by the information that you quoted. The actual answer to your problem will therefore turn on DKIM. Have you explored whether the organisations whose DSNs are failing DMARC also have the rest of their email failing DMARC? The use of the ${customer}.onmicrosoft.com domain to sign is consistent with domains for which DKIM signing hasn't been turned on. (It could also be a DSN-handling bug of course.) - Roland ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] DSN from microsoftonline.com
On Wed, Dec 20, 2017 at 1:48 PM A. Schulze via dmarc-discuss < dmarc-discuss@dmarc.org> wrote: > > > Am 20.12.2017 um 18:44 schrieb Roland Turner via dmarc-discuss: > > What HELO/EHLO hostname is being presented? > > I'm out of office for the next days and have no access to that data. > From what I remember it's the hostname of the sending system, a rDNS > related to Microsoft. > > Why do you think, the EHLO is important? > For bounces (ie, empty MAIL FROM), the EHLO argument is used for the SPF lookup, so it is technically possible for there to be a valid SPF record. That said, I wouldn't bet on it. I know there's still an open bug to create the DNS SPF records for our EHLO hostnames at Google, it was just never a high priority. Plus, it wouldn't really help the DMARC case because our DSN's come from @googlemail.com for some reason I was never clear on but our EHLO hostnames are google.com. Brandon ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] DSN from microsoftonline.com
Am 20.12.2017 um 18:44 schrieb Roland Turner via dmarc-discuss: > What HELO/EHLO hostname is being presented? I'm out of office for the next days and have no access to that data. >From what I remember it's the hostname of the sending system, a rDNS related >to Microsoft. Why do you think, the EHLO is important? Andreas ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] DSN from microsoftonline.com
What HELO/EHLO hostname is being presented? - Roland On 20/12/17 21:14, A. Schulze via dmarc-discuss wrote: Hello, we use to send a portion of messages requesting delivery status notification on success. In general DSN messages tend to not pass DMARC very often, but as we request DSN on success explicit we monitor them. Now I noticed a pattern on DSN sent from Microsoft. RFC5321.MailFrom <> RFC5322.FromDKIM-Signature d=${customer}.onmicrosoft.com SPF could never be aligned and DKIM isn't aligned. $ opendmarc-check microsoftonline.com DMARC record for microsoftonline.com: Sample percentage: 100 DKIM alignment: relaxed SPF alignment: relaxed Domain policy: none Subdomain policy: quarantine Aggregate report URIs: mailto:d...@rua.agari.com Failure report URIs: mailto:d...@ruf.agari.com Any subdomain use p=quarantine but any DSN systematically fail. Is this intentional? Andreas ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html) ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
[dmarc-discuss] DSN from microsoftonline.com
Hello, we use to send a portion of messages requesting delivery status notification on success. In general DSN messages tend to not pass DMARC very often, but as we request DSN on success explicit we monitor them. Now I noticed a pattern on DSN sent from Microsoft. RFC5321.MailFrom <> RFC5322.FromDKIM-Signature d=${customer}.onmicrosoft.com SPF could never be aligned and DKIM isn't aligned. $ opendmarc-check microsoftonline.com DMARC record for microsoftonline.com: Sample percentage: 100 DKIM alignment: relaxed SPF alignment: relaxed Domain policy: none Subdomain policy: quarantine Aggregate report URIs: mailto:d...@rua.agari.com Failure report URIs: mailto:d...@ruf.agari.com Any subdomain use p=quarantine but any DSN systematically fail. Is this intentional? Andreas ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
[dmarc-discuss] DMARC support on Exchange Servers and reporting back to senders
Hello all, as far as I am aware, based on research, On-premise Exchange Servers do not support DMARC by default and third-party plugins need to be installed. I was wondering if anyone has already done this on their exchange server and if they could give some suggestion on the products they have used? Finally, I cannot find a single product that supports DMARC reporting ie. configure the exchange server to send aggregate reports back to the senders? Does anyone know if that is possible at all at the moment? ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)