Re: [dmarc-discuss] Testing DMARC
On Tue, 2020-01-07 at 17:04 +0100, Gerben Wierda via dmarc-discuss wrote: > But I would like to see if a message that comes from outside and that > should be blocked because the owner of the domain has a policy p=reject. > So, some sort of tester that is able to make me test how I react on > incoming mail I should reject. Does something like that exist? Perhaps I misunderstand, but wouldn't your inbound email server logs tell you how DMARC is evaluated for inbound emails from domains which you do not control? Ken. ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
[dmarc-discuss] Re-verifying external report destinations
Quick question: Is is common for providers to re-verify external report email addresses from time to time? I ask because a few months ago we did a clean-up and deleted a few authorisation TXTs for former clients who still had our report email address configured in their record. I've just noticed that some providers, including a few large ones (Google, LinkedIn and Rackspace) are still sending DMARC reports for some domains despite the lack of corresponding verifying records for several months. Is what I'm seeing normal behaviour? And if the answer is yes, is rejecting the messages what others do when faced with an uncooperative former client? Thanks, Ken. ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] dmarc-discuss Digest, Vol 85, Issue 2 UNSUBSCRIBE PLEASE
Hi Lorraine, to unsubscribe from the list please a) visit the page http://dmarc.org/mailman/options/dmarc-discuss and follow the "To unsubscribe..." instructions at the end of the page or b) send an email to dmarc-discuss-requ...@dmarc.org with the word "unsubscribe" as the subject. Ken. ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] ESP - O365
On Tue, 2018-11-13 at 05:44 +, T Nguyen via dmarc-discuss wrote: > Hi dmarc sme, > > Microsoft O365 is the email provider for example.com. > > DMARC is passing in the below scenario with relaxed DKIM and SPF, but > would not pass with strict mode since the d=example123.onmicrosoft.com > would not align with the from example.com. Any insight to resolve the > problem in strict mode. The organizational domain registered with O365 > would have to be example123.onmicrosoft.com > [...snip...] DMARC is passing in that scenario because your return path contains example.com and DMARC only requires SPF or DKIM to be aligned, not both. Relaxed alignment allows for sub-domains (e.g. example123.example.com) of the domain used in the friendly From to be used in the return path and/or the DKIM signing domain. Strict alignment requires the exact same domain to be used everywhere. To have example.com as the DKIM signing domain and not example123.onmicrosoft.com you'll need to create custom DKIM records via the admin panel on Office 365. Ken. ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] Additional details
On Fri, 2018-07-20 at 09:30 -0400, Jerry Warner wrote: > Posting it in text just now I see a link for Linkedin. I'll take that as > a clue. OK, did a search of the mail logs for that date. Nothing with > "linkedin" is listed in the logs. Are they not details an aggregate report from LinkedIn? I thought it was Comcast that sent the report? If that's the IP (24.142.161.51) that was reported having a PERMFAIL on the SPF in the original report you posted, then my money is still on that being caused by your faulty SPF record. Even if that wasn't the IP that had the incorrect entry. > Without knowing something about the email it would be pretty hard to find > it in the server logs. There isn't even a time listed. Aggregate reports are not intended to give that level of detail and forensic reports, which are, are rarely supported because of previously mentioned privacy concerns. A thorough understanding of your mail flow combined with aggregate reports is usually sufficient to see exactly what might be breaking DMARC policy. Using separate selectors for DKIM (e.g. one for service desk emails etc.) can also be a useful strategy to help get more value from aggregate reports. Ken. ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] Additional details
On Fri, 2018-07-20 at 08:34 -0400, Jerry Warner via dmarc-discuss wrote: > > Thank you for catching that error in the SPF. I've now fixed that > however I don't think that was the problem as that's not the IP address > the message was sent from. It would be useful to know that IP, the envelope header and the from address. What do the logs from your email server say about that email? > I see a permerror under the record/auth_results/spf/result but I don't > know what that means. This is also the only place it shows as a fail. As already pointed out by Todd, that PERMERROR could be related to the (previous) syntax error in your SPF record. How broken SPF records are evaluated is non-standard. Ken. ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] MS mail servers (outlook, office365)
On Fri, 2018-07-13 at 14:05 +, Reinaldo Matukuma via dmarc-discuss wrote: > > Guys, I'm looking for the RUA coming from MS mail servers, but I just > didn't see any. I don't think they send them. I receive RUAs for a handful of domains and I don't see any originating from Microsoft recently. > MS servers should still be compatible with DMARC, right? > > So, does anyone know if they have abandoned the adoption of DMARC since > their last infrastructure change in late 2017? They definitely use it as an indicator on the quality / validity of inbound email. Reporting isn't mandatory for implementation. Ken. ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] Email encryption services and DMARC
On Wed, 2018-07-11 at 12:22 +0100, Ivan Kovachev via dmarc-discuss wrote: > The problem is that there are many other email encryption services out > there and if the sender is using any of them then their recipients must > also authorize them in their SPF records. This means that if any the > sender or recipient is in DMARC reject when replying to such emails their > emails will be rejected. > > Has anyone come across this problem before and what have you done to > solved it? Is using subdomains (in DMARC none policy) for this email > communication the only way to go for now? Any service which spoofs email isn't going to play well with an active DMARC policy. If you require your clients to reduce their DMARC security posture (by using no policy sub-domains etc.) in order to securely communicate with you, I think you may loose that battle. Your options are probably either to a) relax / ignore email authentications signals from email originating at Cisco's end, b) move away from the service model and use product that doesn't need to spoof emails in order to encrypt them, e.g. whatever Symantec call their PGP gateway now or c) implement S/MIME with an in-house or hosted PKI solution. Ken. ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] Newbie question: subdomain
On Wed, 2018-05-30 at 11:22 -0400, Jerry Warner wrote: > I do not have a SPF record for mail.server.com in addition to > server.com I thought it rolled back to server.com based on what I > read. As previously noted, nope. > What's the point in listing mail.server.com in the server.com > SPF if it's not looking there? In case mail.server.com sent email using the domain server.com in the envelope header. In that case, an SPF test would look up the record for server.com to see if mail.server.com was authorised to send emails for that domain (server.com). > So I need two SPF records, one for > server.com and one for mail.server.com Correct. You can use something like "v=spf1 +a -all" for mail.server.com >Both can use use the same > DKIM as long as they're both aliases to the same domain on the mail > server? I've looked, and I can't set up a second DKIM since > mail.server.com and server.com are the same in the mail server > program (imailserver). Correct. As long as the DKIM signing domain is the same you'll be fine. Ken. ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] Newbie question: subdomain
On Wed, 2018-05-30 at 09:44 -0400, Jerry Warner via dmarc-discuss wrote: > I'm reading over my reports and I see that I'm getting fails on valid > emails sent from my server when the sender uses a mail.server.com > name instead of just server.com. Hi Jerry, just a guess but does mail.server.com have its own SPF record? Because, it won't inherit anything in the SPF for server.com and if it's also not DKIM signing those emails then that would cause your DMARC failure. Ken. ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] General DMARC weakness - personal forwarding
On Mon, 2018-05-21 at 09:29 -0600, Pete Holzmann via dmarc-discuss wrote: > QUESTIONS: > 1) Is anyone working to solve these issues? > 2) Has there been consideration of a forwarding token that could validate > all such emails Take a look at the work being done on Authenticated Received Chain (ARC) - http://arc-spec.org/ ARC breaks DMARC in those use cases where authenticated email is then forwarded on to another mailbox provider in a way which invalidates DMARC. Basically, it achieves this by including the previous DMARC authentication results in the message so that the receiver can then make more a informed filtering decision which is not solely based on the original domain's DMARC policy. They have a dedicated mailing list. Ken. ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] Incorporation of dmarc in our email system
On Thu, 2018-04-26 at 09:15 -0400, Bongaerts Contract via dmarc-discuss wrote: > Could someone please send us the procedure to incorporate dmarc in our > email system ? Hello Carl, If you just mean checking incoming emails to make sure that they are compliant with DMARC (if present) then you will need to speak with the company which supplies your email service or email server software. However, if you mean how to protect your outgoing emails with a DMARC policy then you can either ask the people that currently manage your IT infrastructure or seek external help from one of the companies listed here: https://dmarc.org/resources/products-and-services/ Before you implement DMARC, how you use email will need to be audited to make sure that the components which DMARC relies on are configured correctly and that all third party providers (such as newsletter senders) will work with DMARC. Implementing DMARC incorrectly can result in your outgoing emails not reaching inboxes so make sure that the organisation implementing it knows what they are doing and have done similar work in the past. Ken. -- Ken O'Driscoll / We Monitor Email t: +353 1 254 9400 | w: www.wemonitoremail.com Need to understand deliverability? Now there's a book: www.wemonitoremail.com/book ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] What is the usefulness of choosing 'iodef' versus 'afrf" ?
On Wed, 2017-12-06 at 09:48 -0500, DMARC via dmarc-discuss wrote: > I've always been a little confused with the distinctions between > the 'iodef' Incident Object Description Exchange Format or 'afrf' > Authentication Failure Reporting Formats. > > Obviously, afrf has become the defacto standard, as that's all I see in > any DMARC record that I examine. > > I've reviewed https://tools.ietf.org/html/rfc5070 and am no closer to > appreciating the impact of selecting one format over another. > > Is this an example where one standard as been publically accepted and the > competing standards are more or less deprecated in deployment ? My understanding is that IODEF is supported by Incident Response tools so if you wanted your DMARC reports to feed in to one of those, you'd pick it. I haven't encountered this use-case yet with a deployment so this is just my guess. Ken. -- Ken O'Driscoll / We Monitor Email t: +353 1 254 9400 | w: www.wemonitoremail.com Need to understand deliverability? Now there's a book: www.wemonitoremail.com/book ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] Fwd: DMARC report interpretation
On Mon, 2017-06-19 at 08:26 +0200, PenguinWhispererThe . via dmarc-discuss wrote: > Am I interpreting this entry correctly? Thanks a lot in advance. It's impossible to tell because you have obfuscated practically all of the relevant data. You need to include actual IPs and domain names for people to be able to help you properly. gapssmtp.com is used by Google for sending email via their cloud offering. Perhaps there is some cloud instance operated by the second domain name spoofing your domain name in the From address. Legitimate (but still misguided) applications for such spoofing can include third party ticketing systems, invoicing services etc. Without more information that's my guess. Ken. -- Ken O'Driscoll / We Monitor Email t: +353 1 254 9400 | w: www.wemonitoremail.com Need to understand deliverability? Now there's a book: www.wemonitoremail.com/book ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] Exchange DMARC plugin?
Hi Greg, Microsoft don't provide DMARC (or indeed DKIM) support for Exchange 2013 either natively or via an additional plugin. Your options are: 1) use a third-party plugin, such as Hexamail Guard, 2) put a DMARC supporting appliance in front of Exchange, such as Proofpoint Email Security, or, 3) put a DMARC supporting cloud offering in front of Exchange, such as Exchange Online Protection from Microsoft or the cloud version of Proofpoint Email Security. For support and compliance reasons, option one doesn't work for a lot of organisations so factor that in. Ken. On Thu, 2017-04-20 at 21:26 +, Gregg Hughes via dmarc-discuss wrote: > Good afternoon, all! > > Looking at implementation options for my onsite Exchange infrastructure. > Is there a plugin or add-on module to process inbound DMARC for onsite > Exchange 2013? > > Thanks to all in advance! > > Gregg Hughes Sr. Systems Engineer www.iscinternational.com 414.721.0301 > phone 262.314.3106 fax ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)