[dmarc-discuss] What bad stuff can a broken DMARC record cause?
Someone I know asked me what sort of bad things could happen if one published a broken DMARC record. Obviously, if your record is bad people won't follow your policies and you won't get your reports, but anything else? Have you ever heard of MTAs burping on a bad DMARC record? I've looked at the C OpenDMARC and perl Mail::DMARC libraries and they both seem pretty sturdy: fetch a TXT record and if they find one, look for the tags they want and ignore everything else. As an experiment, I added 32K of junk to the _dmarc.johnlevine.com TXT record and as far as I can tell, it's made no difference. I still get the same reports saying the same things. DNS libraries need to use TCP to fetch it but they all seem able to do that. Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] [Ext] Re: [Ext] RE: [Ext] Re: Some DMARC adoption data
Null MX doesn’t stop anyone from spoofing your domain to send email though. Yes, I know, I wrote the RFC about it. SPF, DMARC are tools that work together to protect your domain and your reputation. If SPF was the magic bullet then nothing else would be needed. The basic problem with SPF is that it can't describe all of the ways that people send mail. But it says "I send no mail at all" just fine. Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] [Ext] RE: [Ext] Re: Some DMARC adoption data
By that logic if you have SPF -all you don’t need anything else to protect your domain. Why even bother with DMARC at all? As I said, if you don't send any mail at all, a null MX is useful but I don't see much point to DMARC. It's not a magic bullet. I suppose there are systems that look at DMARC but not at SPF -all but I don't know of many. R's, John From: John R Levine Sent: Friday, February 11, 2022 7:54:55 PM To: Chris Sweeney ; dmarc-discuss@dmarc.org Cc: ves...@tana.it Subject: [Ext] RE: [Ext] Re: [dmarc-discuss] Some DMARC adoption data [EXTERNAL EMAIL] DO NOT CLICK links or attachments unless you recognize the sender and know the content is safe. That's the point though, even if you don't send email from a domain it should have a SPF and DMARC record to prevent someone from spoofing your domain. If you have SPF -all and a null MX, you shouldn't need a DMARC record. Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly -Original Message- From: dmarc-discuss On Behalf Of John Levine via dmarc-discuss Sent: Friday, February 11, 2022 2:25 PM To: dmarc-discuss@dmarc.org Cc: ves...@tana.it Subject: [Ext] Re: [dmarc-discuss] Some DMARC adoption data [EXTERNAL EMAIL] DO NOT CLICK links or attachments unless you recognize the sender and know the content is safe. It appears that Alessandro Vesely via dmarc-discuss said: Study on Domain Name System (DNS) abuse : technical report. Appendix 1, 2022 https://data.europa.eu/doi/10.2759/473317 Chapter 17 of the Appendix (2nd link above) contains data on SPF and DMARC. The DMARC part says that 8,129,795 out of 246,425,997 domains exhibit a DMARC record (3.3%). Parsing DMARC records shows that 49.68% of the domain names with the DMARC record has p=none, 11.20% have p=quarantine, and 37.14% have p=reject. I wish they'd also looked at how many domains have MX records, or had SPF -all. I can't get too worried about no DMARC on a domain that doesn't send or recieve mail. --- Is it necessary to print this email? If you care about the environment like we do, please refrain from printing emails. It helps to keep the environment forested and litter-free. The content of this email is confidential and intended for the recipient specified in message only. It is strictly forbidden to share any part of this message with any third party, without a written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future. Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] [Ext] Re: Some DMARC adoption data
That's the point though, even if you don't send email from a domain it should have a SPF and DMARC record to prevent someone from spoofing your domain. If you have SPF -all and a null MX, you shouldn't need a DMARC record. Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly -Original Message- From: dmarc-discuss On Behalf Of John Levine via dmarc-discuss Sent: Friday, February 11, 2022 2:25 PM To: dmarc-discuss@dmarc.org Cc: ves...@tana.it Subject: [Ext] Re: [dmarc-discuss] Some DMARC adoption data [EXTERNAL EMAIL] DO NOT CLICK links or attachments unless you recognize the sender and know the content is safe. It appears that Alessandro Vesely via dmarc-discuss said: Study on Domain Name System (DNS) abuse : technical report. Appendix 1, 2022 https://data.europa.eu/doi/10.2759/473317 Chapter 17 of the Appendix (2nd link above) contains data on SPF and DMARC. The DMARC part says that 8,129,795 out of 246,425,997 domains exhibit a DMARC record (3.3%). Parsing DMARC records shows that 49.68% of the domain names with the DMARC record has p=none, 11.20% have p=quarantine, and 37.14% have p=reject. I wish they'd also looked at how many domains have MX records, or had SPF -all. I can't get too worried about no DMARC on a domain that doesn't send or recieve mail. ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] Heterogeneity in handling non-OD inputs among web-based DMARC checking tools
On Fri, 31 Dec 2021, su...@banbreach.com wrote: By planned changes, are you referring to draft-ietf-dmarc-dmarcbis-04? Yes. When you say this is not a bug, do you mean "this is not a bug in the RFC" or "this is not a bug in the dmarc checker tool"? No. I mean that it is not a bug that it will blur the distinction between org domain and PSD. From what you've said, it sounds like some of the checkers are buggy, or at least reporting sloppily. The one that said a record was "empty" when in fact it did not exist sounds like sloppy coding to me. Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] Thoughts for new value 'p=nomail'
On Mon, 31 Aug 2020, Brandon Long wrote: Hmm, DMARC is for the header from domain, however, I wonder if folks usually only do the spf lookup on the mail from argument, which may not be aligned and therefore doesn't hit that. And then how would this also play with say the Sender: header override draft, would you expect to listen to the SPF for the header from domain saying "no mail" or allow override? We can get awfully meta here. Imagine an executive who has her assistant send all her mail, so the address in the From: line never sends any mail, although you can send mail to her. So SPF -all would be right even though the address is OK. Agreed with the general case of "I really mean it" though. But this gets into "who cares what you think" territory (generic you, not Brandon you.) I think the least wrong thing to validate the From header is to check for a null MX. I realize that a lot of bulk mail is sent with From addresses that don't work ("please do not reply to this message, because we do not care what you want"), but I expect they're unlikely to publish null MX. Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] DKIM Pass for unauthorized servers?
My dmarc = v=DMARC1; p=reject; rua=mailto:dmarc_rep...@bexx.com; ruf=mailto:dmarc_foren...@bexx.com; fo=1 Is this incorrect? I wouldn't use p=reject but the syntax looks fine. Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
[dmarc-discuss] DMARC vs DKIM keys with s=mtasts
While fiddling with scripts to analyze mta-sts reports, I noticed some peculiar DKIM validation failures in reports from socketlabs. RFC 8460 which defines the reports says that mail reports have to be DKIM signed and the DKIM validation key should say "s=tlsrpt" rather than the usual s=email or default s=*. Socketlabs' keys do indeed have s=tlsrpt so the signature validation fails. The C libopendkim and perl Mail::DKIM libraries have hard-coded tests for 'email' or '*'. Python dkimpy has a kludge that accepts 'tlsrpt' along with the other two. None of them have a way to say to look for a service type other than 'email', Beyond the kludge in dkimpy I don't see how to make mta-sts work properly with DMARC other than by even more grotesque kludges. I suppose I could imagine defining an ad-hoc list of local addresses that expect special DKIM service types, and somehow have the DKIM libraries adjust the service type depending on the current RCPT TO, but ugh. I also suppose we could encourage socketlabs to add another signature with the same d= but an s=email key. At the moment it's OK-ish because socketlabs' mail is SPF aligned, so even if I were enforcing their p=reject policy, they'd pass. I have also seen no fake mta-reports at all, and I'm finding it hard to imagine a plausible threat model in which a bad guy could get the required signature with s=email but not s=tlsrpt. RFC 8460 says the key SHOULD have s=tlsrpt and the recipient MAY ignore reports without that service type. I'm inclined to consider that an error in view of experience with it. Different service types are for messages delivered some way other than SMTP. Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] What is the end goal of DMARC?
On Wed, 17 Oct 2018, Alessandro Vesely wrote: wildcard *.dmarc.fail addresses and they work fine. My mail server knows what's been rewritten recently and rejects everything else. Wildcard *.trailing.parts doesn't work, but is existent. I have a wildcard MX for *.dmarc.fail pointing at my mail server and it works just like it is supposed to. I can believe that some people don't understand how to set up a mail server this way but that's a different problem. Hm... Suppose someone worked out reputation mechanics at some large mailbox providers, so as to be able to craft messages that ruin a mail site reputation to the point of rejecting messages from that site. Now, suppose also that a mailing list, key for the next presidential campaign, counts various users of those mailbox providers among its subscribers. Would you still recommend that they adopt your Perl script? Since I have no idea how the largely implausible first part of your question relates to the utterly implausible second part, it's not a question I can answer. R's, John ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] Anti-DMARC rewrites, was What is the end goal of DMARC?
On Sun, 14 Oct 2018, Al Iverson wrote: other than to the mailing list or to the owner. If you've addressed that, too, great, but it doesn't feel easy or scalable. Of course we have. The rewritten address forwards to the real address for a few days. This means that the user's name and address appear in the From: header where they belong, and replies also work the way they're supposed to, without having to hijack the Reply-To header. It's certainly not perfect, but it's a lot better than putting the list address in the From: so you can't tell who messages are from and replies are backward. As far as easy or scalable, the code to do this is about 300 lines of perl (it adds ARC headers, too) and the IETF uses it on all of their lists, at least a thousand of them. R's, John ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] "p=none" vs. "p=quarantine; pct=0"
On Tue, 9 Oct 2018, Al Iverson wrote: If you treat quarantine differently than none, you’re sending me misleading data in the reports you send (if of course Sorry, but that is just wrong. I publish p=none because that is my policy. It's not wrong from my perspective. It's exactly what I see in practice from ISPs and companies. I'm not opposed to having some way to say pretend that I'm publishing a more restrictive policy, but I'd be rather annoyed if p=none were hijacked so there's no way to say my mail comes from different places and that's OK. I don't care what the details are. Maybe we can publish an update that formalizes the pct=0 hack, or add p=pseudoquarantine. Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] Hotmail violating DMARC specification (fwd)
In article <530ab12f-8f41-478f-8e2c-8b276ae9d...@gmail.com>, Ivan Kovachev via dmarc-discuss wrote: I have also run some tests using a DMARC protected domain in reject mode and hotmail whether manually forwarding, auto-forwarding or redirecting the email treats the email in the same way and that is: retains the original From domain but the final recipient does the SPF and DKIM checks on the forwarder ie. hotmail so DMARC fails and emails are rejected. That is DMARC operating as specified. If you say p=reject and don't DKIM sign your mail, you're saying that only the IP addresses in your SPF record can forward it. The forward issue is not unique to Hotmail; you'd see the same result from anyone who bounced, relayed, or otherwise forwarded it. If that's not what you want, perhaps you should adjust your DMARC policy to say what you do want. R's, John -- Regards, John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] I have a working solution for spam problem. Need your valuable feedback
Because I'm introducing a proprietary standard called "Sender Alias Domains (SAD)" and make use of already popular solutions like SPF, DKIM, DMARC. As is well known to anyone who is familiar with the history of e-mail, it's not hard to keep bad guys out of a small walled garden. But it doesn't scale. Here endeth the free consulting. I see that you're sending the same junk messages to some IETF lists. Do yourself a favor, and don't do that. Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] I have a working solution for spam problem. Need your valuable feedback
My presentation contains 373 slides. My demo video length: 30 minutes. From where do you really think I got the content? I looked at the first 50 slides or so, and I get the strong impression that you're not familiar with US patent 5,930,479, which was filed in 1996 and issued in 1999 and expired in 2016. Nothing personal but we've seen a whole lot of FUSSPs over the past 20 years, and the number that have actually worked is zero. Why should yours be any different. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] I have a working solution for spam problem. Need your valuable feedback
Sorry, but this is not relevant to the dmarc discuss list. I took a look at the web page and stopped after "We are building a Parallel Internet" ... On Wed, 22 Aug 2018, Viruthagiri Thirumavalavan via dmarc-discuss wrote: Hello Everyone, First of all. I would like to thank you all for developing and contributing to DMARC. Because you guys already helped to reduce plenty of spam on the Internet and my solution utilises DMARC along with SPF and DKIM My name is Viruthagiri Thirumavalavan. I started my research to solve the spam problem back in 2013. Five years later I think I have a presentable solution. Thousands of people tried to solve the spam problem in the past 40 years. What makes my solution different is that, unlike others my system works on the following principle. "Spam should be prevented at the source, not the destination" I'm not trying to fight spam with spam filters, but trying to make the email address useless in the spammers hands. If my system works, then it's going to be the world's first zero spam mail system. I would be grateful if you guys can give me some feedback by reading my presentation.. The summary can be found in my company's official website. I just put the website online. https://www.dombox.org/ Thanks very much :-) ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] Email encryption services and DMARC
On Wed, 11 Jul 2018, John R Levine wrote: If you're going to have a third party send mail for you, why can't you just list the third party IP address in your SPF record? Oh, wait, I got it backward. On the outbound mail, you're right, it's the customer's domain so they can add the IP to the SPF. On the inbound mail, the customer sees all the mail coming from the third party. In that case either the third party needs to do some filtering, or the customer needs to peek at the received headers to do some retroactive SPF checking. Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] General DMARC weakness - personal forwarding
On Fri, 25 May 2018, Rolf E. Sonneveld wrote: I may live in another world or the mailing lists to which I subscribe may be different from the ones you subscribe to, but it is my experience that most mailing lists didn't implement the From rewriting kludge, but instead implemented the 'reject from domains that publish p=reject'. You definitely live in another world. Even RIPE and the IETF do rewrites now. Rewriting the From address can be seen as 'breaking the system'. No kidding. That's why we hope ARC will work well enough that we don't have to. Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] 2 questions about evaluating DMARC reports -- recommendations ?
bits in a database at https://www.taugh.com/rddmard Typo. As you might expect it's really https://www.taugh.com/rddmarc Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] DKIM vulnerability overview
1. The fact that some folk know about these issues and that they were talked about at some point in time and that there is an obscure record of those discussions does not mean that these issues are well-documented or well-understood broadly. The guy who wrote the security screed appears to have made not even the least attempt to see if these are known issues (google finds them pretty fast.) I don't think I would want to take security advice from someone like that. I haven't bothered with a detailed critique of the paper. Here you go: 1. You can add extra Subject and From headers! 2. There are changes that don't change the semantics of the message (much) but break the signature! The first was beaten to death by someone we both know at innumerable IETF, M3AAWG, and other meetings. The other is mentioned in the spec. We should strongly consider producing such a treatment, with a title like "DKIM Pragmatics" or the like. We could do that but I don't see any reason to think that the people who haven't read any of the other good advice would read it. R's, John ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] Anything to be done about DMARC failures caused by internal Microsoft forwards?
So, what am I trying to accomplish, aside from the trivial goal of making hackers stop emailing me? As we hardly need tell you, there's no cure for stupid. Perhaps a comment in your DMARC record saying that bug reports will be met with ridicule, and some procmail scripts to ridicule any bug reports that mention DMARC would help. It feels to me like my unease about DMARC stems from the fact that the folks who wrote the spec and the sites that are enforcing DMARC have a markedly different philosophy than I do about email. DMARC was originally intended for places like Paypal that have severe forgery problems and consciously are willing to lose some mail in return for less forgery. (It probably helps that the only mail Paypal sends says "something happened, log in to your account to see what it is.") Then AOL and Yahoo used it to outsource the costs of having their user address books stolen and things went downhill from there. Now as you've seen it's the FUSSP of the month. I use p=none and ask for reports, which I process automatically with some little scripts that put the interesting bits in a mysql database at which I very occasionally look. Sounds like that's right for you, too. The scripts are here: https://www.taugh.com/rddmarc/ R's, John ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] FBL via DMARC?
What would be great is if this RFC could have some language discussing having a confirmation dialog to prevent these accidental mistakes from happening. It does. It says that the whole point of this draft is to have a non-interactive unsubscribe that mail systems can do in the background when people report mail as spam. Mailers may not like it, but it's what recipient systems want, and what they've told me they're going to do. R's, John ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions
It is even worse than I thought, you really want to stop efforts in fighting phish, by muddling the waters between real domains and fake ones There's no muddling going on. dmarc.fail is a real domain that should have an excellent reputation since it sends no phish. sigh! On Sun, Feb 7, 2016 at 1:02 PM, John R Levinewrote: mailing list. For example. mail from mari...@yahoo.com turns into mari...@yahoo.com.dmarc.fail. Except that @yahoo.com.dmarc.fail is not a domain that exists, and will negatively impact the email deliverability. Why in the world would you say that? It not only exists, it's DNSSEC signed which is more than you can say about linkedin.com. Forwarding email addresses in yahoo.com.dmarc.com exist for a couple of days after someone at the corresponding yahoo.com address sends mail through any of my mailing lists, same for any other address in a domain with a DMARC policy. R's, John ; <<>> DiG 9.8.3-P1 <<>> yahoo.com.dmarc.fail mx +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30940 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;yahoo.com.dmarc.fail. IN MX ;; ANSWER SECTION: yahoo.com.dmarc.fail. 3585IN MX 20 mail1.iecc.com. yahoo.com.dmarc.fail. 3585IN RRSIG MX 8 2 3600 2016040300 20160201054514 58563 dmarc.fail. IZIPS60KsnOEFMX/gYo/3o8zzlIzfhFTrmo2IkbKMLWoWQPIAwXLZRDk jXXmymrxYSJ1k3yUUVztCSKzDBWFu4WvYiUwpc9NbG3v7DdN1OwUkxcM RgjmqjMxwPcQI1RFoJkgPD1V3azJDOV/f73bd4HPimVD5r6SP/s/v3gc 1s8= ;; AUTHORITY SECTION: *.k1602._domainkey.dmarc.fail. 7185 IN NSECdmarc.fail. TXT RRSIG NSEC *.k1602._domainkey.dmarc.fail. 7185 IN RRSIG NSEC 8 4 7200 2016040300 20160201054514 58563 dmarc.fail. Ue/IR/Gdy4DJHsEJgToONRMP9j5Skyf8hxIHCCGPTyNc+URgtJFDpilS 21MTC7zuCIt4fIKV8x428VJDzg2fZzMFQNDuMmtvs8aLMVL6TGAfKlVQ NjbYowFrS6g5xTFpkm5SdJmNnLreymuVksVFeniO2Td2+bn2Vvr7hzfc iAw= dmarc.fail. 1429IN NS sdn.iecc.com. dmarc.fail. 1429IN NS osdn.iecc.com. dmarc.fail. 1429IN NS light.lightlink.com. dmarc.fail. 1429IN RRSIG NS 8 2 3600 2016040300 20160201054514 58563 dmarc.fail. sZOP1+0qp3pCrk0l9VcEivHak4+v2I32jp9m6iysYTO49m6s6qadiyIy I3O21vr4Tk5V+XoN9F/zaIctT4nvDH2mIiDN24cB2uGb05zRg809ars5 WqOOBCBkYiKJUNi95LmZ0W2VCXqVwTxEYLC4r9EFoBGEm/dloDcWVjG7 Z6A= ;; Query time: 0 msec ;; SERVER: 192.168.80.2#53(192.168.80.2) ;; WHEN: Sun Feb 7 15:57:10 2016 ;; MSG SIZE rcvd: 707 Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] introduction to the list-virtual server & mailman questions
mailing list. For example. mail from mari...@yahoo.com turns into mari...@yahoo.com.dmarc.fail. Except that @yahoo.com.dmarc.fail is not a domain that exists, and will negatively impact the email deliverability. Why in the world would you say that? It not only exists, it's DNSSEC signed which is more than you can say about linkedin.com. Forwarding email addresses in yahoo.com.dmarc.com exist for a couple of days after someone at the corresponding yahoo.com address sends mail through any of my mailing lists, same for any other address in a domain with a DMARC policy. R's, John ; <<>> DiG 9.8.3-P1 <<>> yahoo.com.dmarc.fail mx +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30940 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;yahoo.com.dmarc.fail. IN MX ;; ANSWER SECTION: yahoo.com.dmarc.fail. 3585IN MX 20 mail1.iecc.com. yahoo.com.dmarc.fail. 3585IN RRSIG MX 8 2 3600 2016040300 20160201054514 58563 dmarc.fail. IZIPS60KsnOEFMX/gYo/3o8zzlIzfhFTrmo2IkbKMLWoWQPIAwXLZRDk jXXmymrxYSJ1k3yUUVztCSKzDBWFu4WvYiUwpc9NbG3v7DdN1OwUkxcM RgjmqjMxwPcQI1RFoJkgPD1V3azJDOV/f73bd4HPimVD5r6SP/s/v3gc 1s8= ;; AUTHORITY SECTION: *.k1602._domainkey.dmarc.fail. 7185 IN NSECdmarc.fail. TXT RRSIG NSEC *.k1602._domainkey.dmarc.fail. 7185 IN RRSIG NSEC 8 4 7200 2016040300 20160201054514 58563 dmarc.fail. Ue/IR/Gdy4DJHsEJgToONRMP9j5Skyf8hxIHCCGPTyNc+URgtJFDpilS 21MTC7zuCIt4fIKV8x428VJDzg2fZzMFQNDuMmtvs8aLMVL6TGAfKlVQ NjbYowFrS6g5xTFpkm5SdJmNnLreymuVksVFeniO2Td2+bn2Vvr7hzfc iAw= dmarc.fail. 1429IN NS sdn.iecc.com. dmarc.fail. 1429IN NS osdn.iecc.com. dmarc.fail. 1429IN NS light.lightlink.com. dmarc.fail. 1429IN RRSIG NS 8 2 3600 2016040300 20160201054514 58563 dmarc.fail. sZOP1+0qp3pCrk0l9VcEivHak4+v2I32jp9m6iysYTO49m6s6qadiyIy I3O21vr4Tk5V+XoN9F/zaIctT4nvDH2mIiDN24cB2uGb05zRg809ars5 WqOOBCBkYiKJUNi95LmZ0W2VCXqVwTxEYLC4r9EFoBGEm/dloDcWVjG7 Z6A= ;; Query time: 0 msec ;; SERVER: 192.168.80.2#53(192.168.80.2) ;; WHEN: Sun Feb 7 15:57:10 2016 ;; MSG SIZE rcvd: 707 ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] Google paper on email security mentions DMARC
Seeing as DNSSEC hasn't been done to many (if any) google domains, I wouldn't expect dane to be implemented yet either. " DNSSEC has not been widely deployed— recent studies have found that less than 0.6% of .com and .net domains have deployed DNSSEC [46]" DNSSEC still has some serious deployment issues. I sign all the DNS zones on my server, but I can only install the required DS records for about half of them, because the registrars won't talk to me because I'm not the registrant, my users are. DMARC at least doesn't have that problem. Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail.___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] Still having problems with third-party sending
I've been looking at examples. I'm not sure how to solve the problem of recipient perception of the subdomain. we have been so effective at convincing people that email addresses that look different from what you are expecting are a phishing attack and they should simply delete it that they do not respond to our subdomain emails but still fall for real pishing. yes, the irony is not lost on me. Take a look at some of stuff you get from big brands. People don't seem to find off...@email.bigcorp.com very different from off...@bigcorp.com. These days most MUAs don't even show the address, just the From: header comment. another issue with subdomains is the return address. maybe a customer can alias one domain on top of another but that also triggers suspicion on the part of the recipient. not sure how to handle that one. Same answer. Suspicion? Of an address they don't even see? DKIM selectors are for key management, ... Maybe the misunderstanding speaks to a common conceptual model for outsiders? I believe it is more due to not reading the documentation. what are the implications of generalizing selectors to identifying different streams? You have something that is not DKIM. See RFC 6376, particularly section 3. You've already got the answer -- if you want the streams all to use the same domain, whoever manages the domain has to manage the DNS records, and if you want DMARC reports, arrange for someone to receive the reports and process them however is useful, which might include segmenting them by characteristics known to the domain manager. If the domain manager cannot or will not do that, use subdomains or different domain names. R's, John ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] the obvious lookalike attack
Yes, but users[*] more-or-less have learnt to expect contrived messages from mailing lists (altered Subject, footer added, and now altered From line...), ... The users on my mailing lists have no clue about a buggered From: line. How many lists do you run? Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] DMARC woes - forwarding signed / encrypted e-mail
This is hardly a solution, both because it's utterly undocumented, and it requires a kind of spam filtering that not everyone wants or can afford. Assuming by this you mean use of DMARC results as a non-absolute filter input, isn't that how most everyone treats SPF these days? Yes, as far as I can tell. The only people I know who reject on SPF -all tend to be running home linux boxes. On the other hand, the set of mail screwed up by SPF -all has very little overlap with the mail screwed up by DMARC, so it's hard to predict how relevant that will be. Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)