Re: [dmarc-discuss] DMARC authentication issues with Google

2017-12-12 Thread Brandon Long via dmarc-discuss 
There are multiple services, such as Valimail or Dmarcian or whatever which
can help you make that decision, though perhaps they're all a bit biased
towards actually making the transition to quarantine/reject.

It may be possible to switch to quarantine until the blast is contained.
You do have multiple months of data to see what would be affected.  That's
also what I imagine these companies spend a lot of effort on is helping you
identify what sending services will be affected when you make the switch.

Brandon


On Sat, Dec 9, 2017 at 2:10 PM The Venus Project Postmaster <
postmas...@thevenusproject.com> wrote:

> Thanks for the information and suggestions. It was helpful.
>
> I've been monitoring https://postmaster.google.com for the last two
> months and, surprisingly, DMARC authentication was consistently at 100%
> that entire time, right since after I posted my message to this list. But a
> few days ago, about December 5th, it dropped to almost 0%. See attached
> image.
>
> I then cross-checked with the feedback reports (we get those in
> dmarcian.com) and it looks like right at December 5th there was a big
> spike in fraudulent emails pretending to be sent from our domain. See
> attached screenshot from dmarcian.com's interface.
>
> So the DMARC authentication percentage in the Google Postmaster Tool would
> indeed appear to be separate/independent from the SPF and DKIM
> authentication. That does seem counterintuitive to me.
>
> Would you have any recommendation on DMARC policy to use in this
> situation? I don't know if p=quarantine would be justified with such an
> amount of fraudulent senders. I imagine if we make our policy p=quarantine,
> some genuine emails might end up in recipients' Spam folders due to
> whatever temporary technical glitches with authentication, so I am not too
> sure how to weigh the positives and negatives of such policy change. I also
> don't know what damage these fraudulent senders might be causing to our
> domain reputation or anything else.
>
> Thanks,
> Borislav
> The Venus Project Postmaster Team
> www.thevenusproject.com
>
> On 10/5/2017 9:18 PM, Brandon Long wrote:
>
> That graph is awful, especially how it's conflating those three things.
>
> My guess (I don't know much about the postmaster tools), is that SPF is
> only judging what has an envelope sender for your domain, DKIM is only
> judging what has a DKIM signature, and DMARC is judging what is "From" your
> domain.
>
> Given that is has "dmarc" on it, you'd think the graph would be about
> dmarc and alignment, and the three lines would all be judged on the same
> messages, but I'm guessing it's not.  Ie, you'd think it was all messages
> From your domain, and then the dmarc output would match where spf and dkim
> failed.
>
> My guess is what you're seeing is because you're p=none, and so some of
> your messages which have your From domain are being sent through GSuite
> mailing lists (which are used for most GSuite aliases like
> sa...@gsuitecustomer.com, so quite common), and because you're p=none, we
> don't rewrite the From, and we do remove the DKIM signature (since it would
> be broken) and the envelope sender will be the list (so not affecting your
> SPF).  This will likely be what you find in your dmarc aggregate report.
> If you were to go p=quarantine or reject, GSuite Groups would start
> rewriting the from and the dmarc failures would likely go down or away for
> you.
>
> Brandon
>
> On Thu, Oct 5, 2017 at 4:24 AM, Roland Turner via dmarc-discuss <
> dmarc-discuss@dmarc.org> wrote:
>
>> Is the information in this graph consistent with what's in Google's
>> aggregate feedback? (This is to determine whether Google's DMARC
>> implementation is broken, or just the postmaster tool.)
>>
>> - Roland
>>
>>
>>
>> On 05/10/17 18:51, The Venus Project Postmaster via dmarc-discuss wrote:
>>
>> Hi everyone,
>>
>> For the past several months we have been experiencing ups and downs in
>> our DMARC authentication with Gmail, as seen from Google's postmaster tool
>> (see attached screenshot). DKIM and SPF authentication are consistently at
>> 100%, but DMARC authentication varies wildly, although there have been no
>> configuration changes on our side.
>>
>> Our DMARC DNS record seems to be set up properly.
>>
>> Some time ago I contacted the Google postmaster team through their
>> feedback form, but nothing followed.
>>
>> Does anyone have any suggestions on what could be causing this (could it
>> be anything on our end?) and what we could do to resolve it?
>>
>> Thanks in advance,
>> Borislav
>> The Venus Project Postmaster Team
>> www.thevenusproject.com
>>
>>
>> ___
>> dmarc-discuss mailing 
>> listdmarc-discuss@dmarc.orghttp://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>
>> NOTE: Participating in this list means you agree to the DMARC Note Well 
>> terms (http://www.dmarc.org/note_well.html)
>>
>>
>>
>> ___
>>

Re: [dmarc-discuss] DMARC authentication issues with Google

2017-10-05 Thread Brandon Long via dmarc-discuss 
That graph is awful, especially how it's conflating those three things.

My guess (I don't know much about the postmaster tools), is that SPF is
only judging what has an envelope sender for your domain, DKIM is only
judging what has a DKIM signature, and DMARC is judging what is "From" your
domain.

Given that is has "dmarc" on it, you'd think the graph would be about dmarc
and alignment, and the three lines would all be judged on the same
messages, but I'm guessing it's not.  Ie, you'd think it was all messages
>From your domain, and then the dmarc output would match where spf and dkim
failed.

My guess is what you're seeing is because you're p=none, and so some of
your messages which have your From domain are being sent through GSuite
mailing lists (which are used for most GSuite aliases like
sa...@gsuitecustomer.com, so quite common), and because you're p=none, we
don't rewrite the From, and we do remove the DKIM signature (since it would
be broken) and the envelope sender will be the list (so not affecting your
SPF).  This will likely be what you find in your dmarc aggregate report.
If you were to go p=quarantine or reject, GSuite Groups would start
rewriting the from and the dmarc failures would likely go down or away for
you.

Brandon

On Thu, Oct 5, 2017 at 4:24 AM, Roland Turner via dmarc-discuss <
dmarc-discuss@dmarc.org> wrote:

> Is the information in this graph consistent with what's in Google's
> aggregate feedback? (This is to determine whether Google's DMARC
> implementation is broken, or just the postmaster tool.)
>
> - Roland
>
>
>
> On 05/10/17 18:51, The Venus Project Postmaster via dmarc-discuss wrote:
>
> Hi everyone,
>
> For the past several months we have been experiencing ups and downs in our
> DMARC authentication with Gmail, as seen from Google's postmaster tool (see
> attached screenshot). DKIM and SPF authentication are consistently at 100%,
> but DMARC authentication varies wildly, although there have been no
> configuration changes on our side.
>
> Our DMARC DNS record seems to be set up properly.
>
> Some time ago I contacted the Google postmaster team through their
> feedback form, but nothing followed.
>
> Does anyone have any suggestions on what could be causing this (could it
> be anything on our end?) and what we could do to resolve it?
>
> Thanks in advance,
> Borislav
> The Venus Project Postmaster Team
> www.thevenusproject.com
>
>
> ___
> dmarc-discuss mailing 
> listdmarc-discuss@dmarc.orghttp://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well terms 
> (http://www.dmarc.org/note_well.html)
>
>
>
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
>
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] DMARC authentication issues with Google

2017-10-05 Thread Roland Turner via dmarc-discuss 
Is the information in this graph consistent with what's in Google's 
aggregate feedback? (This is to determine whether Google's DMARC 
implementation is broken, or just the postmaster tool.)


- Roland


On 05/10/17 18:51, The Venus Project Postmaster via dmarc-discuss wrote:


Hi everyone,

For the past several months we have been experiencing ups and downs in 
our DMARC authentication with Gmail, as seen from Google's postmaster 
tool (see attached screenshot). DKIM and SPF authentication are 
consistently at 100%, but DMARC authentication varies wildly, although 
there have been no configuration changes on our side.


Our DMARC DNS record seems to be set up properly.

Some time ago I contacted the Google postmaster team through their 
feedback form, but nothing followed.


Does anyone have any suggestions on what could be causing this (could 
it be anything on our end?) and what we could do to resolve it?


Thanks in advance,
Borislav
The Venus Project Postmaster Team
www.thevenusproject.com 



___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)



___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

[dmarc-discuss] DMARC authentication issues with Google

2017-10-05 Thread The Venus Project Postmaster via dmarc-discuss 

Hi everyone,

For the past several months we have been experiencing ups and downs in 
our DMARC authentication with Gmail, as seen from Google's postmaster 
tool (see attached screenshot). DKIM and SPF authentication are 
consistently at 100%, but DMARC authentication varies wildly, although 
there have been no configuration changes on our side.


Our DMARC DNS record seems to be set up properly.

Some time ago I contacted the Google postmaster team through their 
feedback form, but nothing followed.


Does anyone have any suggestions on what could be causing this (could it 
be anything on our end?) and what we could do to resolve it?


Thanks in advance,
Borislav
The Venus Project Postmaster Team
www.thevenusproject.com 

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)