[dmarc-discuss] Help

2019-07-09 Thread Ian Breeze via dmarc-discuss 
RemoveEl 9 jul. 2019 9:00 a. m., dmarc-discuss-requ...@dmarc.org escribió:Send dmarc-discuss mailing list submissions to
	dmarc-discuss@dmarc.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://dmarc.org/mailman/listinfo/dmarc-discuss
or, via email, send a message with subject or body 'help' to
	dmarc-discuss-requ...@dmarc.org

You can reach the person managing the list at
	dmarc-discuss-ow...@dmarc.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of dmarc-discuss digest..."


Today's Topics:

   1. Re: DMARC fails for "on behalf of" messages (Alessandro Vesely)


--

Message: 1
Date: Tue, 9 Jul 2019 10:36:55 +0200
From: Alessandro Vesely 
To: dmarc-discuss@dmarc.org
Subject: Re: [dmarc-discuss] DMARC fails for "on behalf of" messages
Message-ID: 
Content-Type: text/plain; charset=utf-8

> you have to try to find out users who are sending emails in a way you
> described, and ask them to change FROM address to the one matching
> sender domain (senderdomain.aaa)


Or change the bounce address while signing.  Having an SPF pass helps in case of DKIM hiccups.


> or you can move to REJECT policy and accept the loss of emails, sent
> by those users.


Or try quarantine with varying pct...


Best
Ale
-- 
> --?
> Aleksandr
> ?
> 07.07.2019, 14:49, "Jay 1985 via dmarc-discuss" :
> 
> we have a scenario where some users send emails "on behalf of"
> other email address. Headers appear like...?
> Sender: us...@senderdomain.aaa ?
> From: us...@fromdomain.bbb ?
> Return-Path: 
> >?
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
> d=senderdomain.aaa;?
> ?
> In gmail both SPF and DKIM authentication passed but this doesn't
> align with the from domain DMARC fails. How to tackle this
> situation. is there any way forward? this is the only issue
> pending to move?forward in reject mode.
> ?


--

Subject: Digest Footer

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)


--

End of dmarc-discuss Digest, Vol 86, Issue 3


___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] help!

2019-01-09 Thread Zachary Aab via dmarc-discuss 
The MAIL FROM is not easily spoofed if there is SPF, that's SPF's role.
The displayed Header From *is* easily spoofed, which is why we have DMARC.
DMARC is based on the displayed Header From that the user sees and matches
that domain to either the DKIM or the MAIL FROM, because if the Header From
is the same as a 'proven' domain (DKIM is proven by DKIM passing and MAIL
FROM is proven by SPF passing), then the displayed Header From is also
proven.
If the displayed Header From is not the same as a proven domain (DKIM or
MAIL FROM), then the DMARC policy (p=__) is consulted to see if the owner
of the domain wants the email quarantined or rejected.
My best,
Zack Aab
<http://inboxpros.com/>
*Zack Aab | Sr. Deliverability Strategist*
<http://linkedin.com/in/zachary-aab/>
*Inbox Pros <http://inboxpros.com/> *1995 N Park Place | Suite 300 | Atlanta
O: 678.214.3739 | C: 706-870-1061 | z...@inboxpros.com


On Wed, Jan 9, 2019 at 11:54 AM T Nguyen  wrote:

> Thank you Zack for the prompt response.
>
> The mfrom, MAIL FROM (aka Return-Path aka Envelope-From), is very easily
> spoofed and we received lots of spoofing email where Envelope-From is not
> aligned with the display "from", where recipients sees the sender email
> address. From my understanding that dmarc alignment is based on domain of
> this display "from", correct?
> --
> *From:* Zachary Aab 
> *Sent:* Wednesday, January 9, 2019 11:30 AM
> *To:* Paul Rock
> *Cc:* T Nguyen; dmarc-discuss@dmarc.org
> *Subject:* Re: [dmarc-discuss] help!
>
> That is a mistake a LOT of senders make, and it's often the fault of their
> ESP which provided incomplete or even wrong information.
> Just to reinforce what Paul said:
> The Header From IS NOT checked for SPF.  The MAIL FROM (aka Return-Path
> aka Envelope-From) IS checked for SPF.
> My best,
> Zack Aab
>
> <https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Finboxpros.com%2F=02%7C01%7C%7Cad80133303de41b7bb4d08d6764fe350%7C84df9e7fe9f640afb435%7C1%7C0%7C636826482818792379=imfvaUHmoK6aSpR%2Bi154kCg9xuwRmM4TEUPYFea0yBg%3D=0>
> *Zack Aab | Sr. Deliverability Strategist*
> <https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Flinkedin.com%2Fin%2Fzachary-aab%2F=02%7C01%7C%7Cad80133303de41b7bb4d08d6764fe350%7C84df9e7fe9f640afb435%7C1%7C0%7C636826482818792379=2jEytKMVd5OD2qF%2FgolSZTPtKNiTcBLqt95wMCnf%2Fcg%3D=0>
> *Inbox Pros
> <https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Finboxpros.com%2F=02%7C01%7C%7Cad80133303de41b7bb4d08d6764fe350%7C84df9e7fe9f640afb435%7C1%7C0%7C636826482818948621=NScQ7s4NBocrVp2E3ACUHWMk44fYle6N2xlRfCADxtA%3D=0>
> *1995 N Park Place | Suite 300 | Atlanta
> O: 678.214.3739 | C: 706-870-1061 | z...@inboxpros.com
>
>
> On Wed, Jan 9, 2019 at 11:09 AM Paul Rock  wrote:
>
> SPF checks run against the actual mfrom domain (or in some cases the
> HELO/EHLO domain), in this case it'll check the SPF record for ESP.com,
> which passed. SPF doesn't know/care about the from header (and in many
> systems, that header hasn't even crossed the wire yet) so it can't do an
> SPF check using the from header. That's why DMARC looks at both the
> alignment of the SPF domain in question as well as the SPF result. And just
> to be clear, the DMARC logic is only looking at the result of a SPF check,
> it doesn't try to do one on it's own. Because ESP.com doesn't align with
> abc.com
> <https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fabc.com=02%7C01%7C%7Cad80133303de41b7bb4d08d6764fe350%7C84df9e7fe9f640afb435%7C1%7C0%7C636826482818948621=w4v%2Fi0VCn5RABPjrsjUd1tVieHJrchaoMFfVE1EcFlo%3D=0>,
> it fails the SPF portion of the DMARC evaluation.
>
> On Wed, Jan 9, 2019 at 11:01 AM T Nguyen  wrote:
>
> Yes Zack, I meant aSPF relaxed as it's implied without specifically
> indicated in dmarc record.
>
> To clarify ESP.com(111.222.333.444 - source IP) is the external web app
> Email Service Provider so abc.com
> <https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fabc.com=02%7C01%7C%7Cad80133303de41b7bb4d08d6764fe350%7C84df9e7fe9f640afb435%7C1%7C0%7C636826482818948621=w4v%2Fi0VCn5RABPjrsjUd1tVieHJrchaoMFfVE1EcFlo%3D=0>
> (MX & DMARC enable) users can send email to large internet groups via
> non-MX subdomain u...@xyz.abc.com. ( this subdomain xyz.abc.com
> <https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fxyz.abc.com=02%7C01%7C%7Cad80133303de41b7bb4d08d6764fe350%7C84df9e7fe9f640afb435%7C1%7C0%7C636826482818948621=BG9MZIhIOOeNzgCjCBuV12ozquDoyPuN1Exox2knQrs%3D=0>
> has spf record with include sender ESP.com - note that abc.com
> <https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fabc.

Re: [dmarc-discuss] help!

2019-01-09 Thread Zachary Aab via dmarc-discuss 
That is a mistake a LOT of senders make, and it's often the fault of their
ESP which provided incomplete or even wrong information.
Just to reinforce what Paul said:
The Header From IS NOT checked for SPF.  The MAIL FROM (aka Return-Path aka
Envelope-From) IS checked for SPF.
My best,
Zack Aab
<http://inboxpros.com/>
*Zack Aab | Sr. Deliverability Strategist*
<http://linkedin.com/in/zachary-aab/>
*Inbox Pros <http://inboxpros.com/> *1995 N Park Place | Suite 300 | Atlanta
O: 678.214.3739 | C: 706-870-1061 | z...@inboxpros.com


On Wed, Jan 9, 2019 at 11:09 AM Paul Rock  wrote:

> SPF checks run against the actual mfrom domain (or in some cases the
> HELO/EHLO domain), in this case it'll check the SPF record for ESP.com,
> which passed. SPF doesn't know/care about the from header (and in many
> systems, that header hasn't even crossed the wire yet) so it can't do an
> SPF check using the from header. That's why DMARC looks at both the
> alignment of the SPF domain in question as well as the SPF result. And just
> to be clear, the DMARC logic is only looking at the result of a SPF check,
> it doesn't try to do one on it's own. Because ESP.com doesn't align with
> abc.com, it fails the SPF portion of the DMARC evaluation.
>
> On Wed, Jan 9, 2019 at 11:01 AM T Nguyen  wrote:
>
>> Yes Zack, I meant aSPF relaxed as it's implied without specifically
>> indicated in dmarc record.
>>
>> To clarify ESP.com(111.222.333.444 - source IP) is the external web app
>> Email Service Provider so abc.com (MX & DMARC enable) users can send
>> email to large internet groups via non-MX subdomain u...@xyz.abc.com. (
>> this subdomain xyz.abc.com has spf record with include sender ESP.com -
>> note that abc.com only receives rua for the subdomain but no spf record
>> for ESP.com).
>>
>> The second part of the record is very confusing. If the mfrom performs
>> spf check against abc.com then it should fail.  spf only passes if
>> checking against the subdomain xyz.abc.com
>>
>> *​*
>> *abc.com <http://abc.com>​*
>> *​*
>> *​*
>> * ​*
>> * ​*
>> *ESP.com​*
>> *mfrom​*
>> *pass​*
>> *    ​*
>> **
>>
>> --
>> *From:* Zachary Aab 
>> *Sent:* Wednesday, January 9, 2019 10:25 AM
>> *To:* T Nguyen
>> *Cc:* Paul Rock; dmarc-discuss@dmarc.org
>> *Subject:* Re: [dmarc-discuss] help!
>>
>> >does DMARC fail even with adfs and adkim implicitly as “r” relaxed?
>>
>> By adfs do you mean aspf?  If so: yes, "r" aka "relaxed" means that
>> subdomains of the same parent domain are considered aligned (eg:
>> sub.abc.com
>> <https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsub.abc.com=02%7C01%7C%7C2b7351512b84409965ef08d67646c3cd%7C84df9e7fe9f640afb435%7C1%7C0%7C636826443633910086=3gZUoG9PNsFOaOFCk5Dfj5ST7sGUpslJkeY3zcmRA3A%3D=0>
>> is aligned with othersub.abc.com
>> <https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fothersub.abc.com=02%7C01%7C%7C2b7351512b84409965ef08d67646c3cd%7C84df9e7fe9f640afb435%7C1%7C0%7C636826443633910086=oVuC1mmsu9tFaoTCg%2BqgR81bFCrDri2oNwhaqmoXSLE%3D=0>)
>> and "s" aka "strict" means that the subdomains must be identical in order
>> to align.  Either way, the authentication (DKIM or SPF) still must share a
>> parent domain with the Header From.  The example shows two different parent
>> domains: "esp.com
>> <https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fesp.com=02%7C01%7C%7C2b7351512b84409965ef08d67646c3cd%7C84df9e7fe9f640afb435%7C1%7C0%7C636826443633910086=zNbTLgoOViCnmfVT%2BD6bToEDcoLf%2BnNg7hgapqeRFO0%3D=0>"
>> in the MAIL FROM and "abc.com
>> <https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fabc.com=02%7C01%7C%7C2b7351512b84409965ef08d67646c3cd%7C84df9e7fe9f640afb435%7C1%7C0%7C636826443633910086=Ggpq3SLDyTV%2B5f8P9oC46P8q8Jer2Gq4kka464qj5sI%3D=0>"
>> in the Header From, so they are not aligned and cannot pass DMARC without
>> changing.
>>
>> My best,
>> Zack Aab
>>
>> <https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Finboxpros.com%2F=02%7C01%7C%7C2b7351512b84409965ef08d67646c3cd%7C84df9e7fe9f640afb435%7C1%7C0%7C636826443633910086=MZjNxEILv7w5tznxnZ8Nh2cCyIWqLYhXWjCQWV9ec5g%3D=0>
>> *Zack Aab | Sr. Deliverability Strategist*
>> <https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flinkedin.com%2Fin%2Fzachary-aab%2F=02%7C

Re: [dmarc-discuss] help!

2018-12-02 Thread Roland Turner via dmarc-discuss 
Implement DKIM with as many of your third parties as possible. Most have 
now realised that they can do their own key-rotation if they simply 
specify two CNAME records for you to put into your zone file (rather 
than issue you a key, or have you issue them one). Third-party SPF will 
generally not be reliable for DMARC purposes because it will usually 
contain the service-provider's domain name rather than yours and 
therefore not align for DMARC purposes, quite apart from the problem of 
SPF record size that you've already encountered, and the maintenance 
overhead (bear in mind that you'll have to discover service-provider IP 
addresses changes by noticing failures in DMARC feedback, meaning that 
you'll need long term automated monitoring).


- Roland



On 3/12/18 1:32 pm, T Nguyen via dmarc-discuss wrote:


SPF authentication only, no dkim just yet. As domain controller owner 
we have issue with multiple third party application email senders, 
which fail specifically our spf authentication. with too many third 
party email applications that overwhelms our spf records. Since these 
application email providers generate email on behalf of their 
customers, how can they provide domain authentication to the receiving 
ends?  Appreciate all the insight.



___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)



___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

[dmarc-discuss] help!

2018-12-02 Thread T Nguyen via dmarc-discuss 
SPF authentication only, no dkim just yet. As domain controller owner we have 
issue with multiple third party application email senders, which fail 
specifically our spf authentication. with too many third party email 
applications that overwhelms our spf records. Since these application email 
providers generate email on behalf of their customers, how can they provide 
domain authentication to the receiving ends?  Appreciate all the insight.

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Help

2018-09-26 Thread Lawrence Finch via dmarc-discuss 


> On Sep 26, 2018, at 5:40 PM, Jonathan Knopp via dmarc-discuss 
>  wrote:
> 
> To play devil's advocate: it doesn't explicitly provide unsubscribe 
> instructions directly in the email itself. A non-savvy user likely wouldn't 
> think to follow the non-obvious info link in the footer. And not all mail 
> clients make use of the list-unsubscribe header.
> 
> That said... why would any such person be on this list in the first place?
> 

Well, It’s clear that there is such a person, otherwise this wouldn’t have come 
up ;)

I had never thought about it until it was asked, then I went and looked for an 
easy answer, and found there wasn’t one. Despite what it sounds like, I’m not 
trying to be obstructionist. This is a very valuable list for me as site 
administrator for a number of lists. But I think a simple “unsubscribe” link 
would good addition.

Peace,
Larry



> On 2018-09-26 02:11 PM, Brandon Long via dmarc-discuss wrote:
>> Wait, folks are on this list who don't know the basics?
>> Ie:
>> List-Unsubscribe: , 
>> > ?subject=unsubscribe>
>> on every message?
>> Also, the link in the footer, 
>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss, has a section that is 
>> the same on all mailman lists:
>> To unsubscribe from dmarc-discuss, get a password reminder, or change your 
>> subscription options enter your subscription email address:
>> So.. yeah.
>> Brandon
>> On Wed, Sep 26, 2018 at 2:04 PM Lawrence Finch via dmarc-discuss 
>> mailto:dmarc-discuss@dmarc.org>> wrote:
>>>On Sep 26, 2018, at 4:44 PM, Bongaerts Contract via dmarc-discuss 
>>> mailto:dmarc-discuss@dmarc.org>> wrote:
>>> 
>>>Hello, Would someone please be kind enough to tell me how to Unsubscribe 
>>> from these emails ?
>>> 
>>>Thank you.
>>> 
>>>Carl BongaertsTel: 416-831-7841
>>> 
>>You raise a really good question. The list violates US federal 
>> regulations by not providing instructions in every message about how to 
>> unsubscribe. And I just went to the Info page for the list, and there were 
>> no instructions to unsubscribe there either.
>>--
>>Larry Finch
>>finc...@portadmiral.org 
>>___
>>dmarc-discuss mailing list
>>dmarc-discuss@dmarc.org 
>>http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>NOTE: Participating in this list means you agree to the DMARC Note Well 
>> terms (http://www.dmarc.org/note_well.html)
>> ___
>> dmarc-discuss mailing list
>> dmarc-discuss@dmarc.org
>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>> NOTE: Participating in this list means you agree to the DMARC Note Well 
>> terms (http://www.dmarc.org/note_well.html)
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
> 
> NOTE: Participating in this list means you agree to the DMARC Note Well terms 
> (http://www.dmarc.org/note_well.html)


___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Help

2018-09-26 Thread John Levine via dmarc-discuss 
In article  
you write:
>Might be better to have an MX record that points to localhost, because
>if you have an A record but no MX, people will just try to connect to
>the A record.

There's an RFC for that:

https://tools.ietf.org/html/rfc7505

R's,
John
-- 
Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Help

2018-09-26 Thread Brandon Long via dmarc-discuss 
Use a null mx instead.
https://tools.ietf.org/html/rfc7505

On Wed, Sep 26, 2018, 8:43 AM Al Iverson via dmarc-discuss <
dmarc-discuss@dmarc.org> wrote:

> Might be better to have an MX record that points to localhost, because
> if you have an A record but no MX, people will just try to connect to
> the A record.
>
> Though I've never tried it for domains that lack an MX DNS entry, I do
> think overall that DMARC (and SPF) are both good things to configure
> for domains that don't send email. I've blogged about it here:
> https://www.spamresource.com/2018/06/locking-down-your-unused-domains.html
>
> Cheers,
> Al
> On Wed, Sep 26, 2018 at 9:52 AM Zachary Aab via dmarc-discuss
>  wrote:
> >
> > The sub/domain should be protected by the DMARC record even without an
> MX record, I can't find anything in the RFC to say otherwise and some
> senders (mostly marketing, ime) use 5322.from domains with no MX records
> and a "Reply-to:" header with a working domain.
> >
> > >Could the syntax error caused by the receiving domain may not have the
> txt record to authorize the reports reception?
> > It certainly could, of course we can't check up on that without the
> domain.  The answer will probably depend on what is actually throwing the
> syntax error, is it a DMARC-checking tool on the internet, a receiver's
> DMARC filter, or your DNS provider?
> >
> > It looks like your last clause (rua=) is missing the semicolon at the
> end, receivers will care about that to varying degrees but it might be
> causing the error you see, again depending on what's giving the error.
> >
> > My best,
> > Zack Aab
> >
> >
> > On Tue, Sep 25, 2018 at 9:37 PM T Nguyen via dmarc-discuss <
> dmarc-discuss@dmarc.org> wrote:
> >>
> >> Could the syntax error caused by the receiving domain may not have the
> txt record to authorize the reports reception?
> >>
> >>
> >>
> >> From: T Nguyen 
> >> Sent: Tuesday, September 25, 2018 9:30 PM
> >> To: dmarc-discuss@dmarc.org
> >> Subject: Help
> >>
> >>
> >>
> >> Appreciate any insight to the scenario below:
> >>
> >>
> >>
> >> Can non-smtp ( no mx record ) domain example.com be protected by
> dmarc?  I inherited the below dmarc record for this example.com with  spf
> record as “ v=spf1 -all “.  The result was a dmarc syntax error.
> >>
> >>
> >>
> >> v=DMARC1; p=reject; pct=100; rua=mailto:dmarc-repo...@not-example.com
> ,mailto:repo...@example-not.com
> >>
> >>
> >>
> >> If dmarc cannot be implemented then what is the best way to protect
> this non-smtp domain example.com from being spoofed by mal-intention
> senders that can fool naïve users?  Although with spf record “ v=spf1 -all
> “alone should work for dmarc record to set policy reject all email using
> this non-email domain example.com
> >>
> >>
> >>
> >> Thank you in advance,
> >>
> >> Best,
> >>
> >> tn
> >>
> >> ___
> >> dmarc-discuss mailing list
> >> dmarc-discuss@dmarc.org
> >> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
> >>
> >> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
> >
> > ___
> > dmarc-discuss mailing list
> > dmarc-discuss@dmarc.org
> > http://www.dmarc.org/mailman/listinfo/dmarc-discuss
> >
> > NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
>
>
>
> --
> al iverson // 312-725-0130 // miami
> http://www.aliverson.com
> http://www.spamresource.com
>
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Help

2018-09-26 Thread Al Iverson via dmarc-discuss 
Might be better to have an MX record that points to localhost, because
if you have an A record but no MX, people will just try to connect to
the A record.

Though I've never tried it for domains that lack an MX DNS entry, I do
think overall that DMARC (and SPF) are both good things to configure
for domains that don't send email. I've blogged about it here:
https://www.spamresource.com/2018/06/locking-down-your-unused-domains.html

Cheers,
Al
On Wed, Sep 26, 2018 at 9:52 AM Zachary Aab via dmarc-discuss
 wrote:
>
> The sub/domain should be protected by the DMARC record even without an MX 
> record, I can't find anything in the RFC to say otherwise and some senders 
> (mostly marketing, ime) use 5322.from domains with no MX records and a 
> "Reply-to:" header with a working domain.
>
> >Could the syntax error caused by the receiving domain may not have the txt 
> >record to authorize the reports reception?
> It certainly could, of course we can't check up on that without the domain.  
> The answer will probably depend on what is actually throwing the syntax 
> error, is it a DMARC-checking tool on the internet, a receiver's DMARC 
> filter, or your DNS provider?
>
> It looks like your last clause (rua=) is missing the semicolon at the end, 
> receivers will care about that to varying degrees but it might be causing the 
> error you see, again depending on what's giving the error.
>
> My best,
> Zack Aab
>
>
> On Tue, Sep 25, 2018 at 9:37 PM T Nguyen via dmarc-discuss 
>  wrote:
>>
>> Could the syntax error caused by the receiving domain may not have the txt 
>> record to authorize the reports reception?
>>
>>
>>
>> From: T Nguyen 
>> Sent: Tuesday, September 25, 2018 9:30 PM
>> To: dmarc-discuss@dmarc.org
>> Subject: Help
>>
>>
>>
>> Appreciate any insight to the scenario below:
>>
>>
>>
>> Can non-smtp ( no mx record ) domain example.com be protected by dmarc?  I 
>> inherited the below dmarc record for this example.com with  spf record as “ 
>> v=spf1 -all “.  The result was a dmarc syntax error.
>>
>>
>>
>> v=DMARC1; p=reject; pct=100; 
>> rua=mailto:dmarc-repo...@not-example.com,mailto:repo...@example-not.com
>>
>>
>>
>> If dmarc cannot be implemented then what is the best way to protect this 
>> non-smtp domain example.com from being spoofed by mal-intention senders that 
>> can fool naïve users?  Although with spf record “ v=spf1 -all “alone should 
>> work for dmarc record to set policy reject all email using this non-email 
>> domain example.com
>>
>>
>>
>> Thank you in advance,
>>
>> Best,
>>
>> tn
>>
>> ___
>> dmarc-discuss mailing list
>> dmarc-discuss@dmarc.org
>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>
>> NOTE: Participating in this list means you agree to the DMARC Note Well 
>> terms (http://www.dmarc.org/note_well.html)
>
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well terms 
> (http://www.dmarc.org/note_well.html)



-- 
al iverson // 312-725-0130 // miami
http://www.aliverson.com
http://www.spamresource.com

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Help

2018-09-26 Thread Zachary Aab via dmarc-discuss 
The sub/domain should be protected by the DMARC record even without an MX
record, I can't find anything in the RFC to say otherwise and some senders
(mostly marketing, ime) use 5322.from domains with no MX records and a
"Reply-to:" header with a working domain.

>Could the syntax error caused by the receiving domain may not have the txt
record to authorize the reports reception?
It certainly could, of course we can't check up on that without the
domain.  The answer will probably depend on what is actually throwing the
syntax error, is it a DMARC-checking tool on the internet, a receiver's
DMARC filter, or your DNS provider?

It looks like your last clause (rua=) is missing the semicolon at the end,
receivers will care about that to varying degrees but it might be causing
the error you see, again depending on what's giving the error.

My best,
Zack Aab


On Tue, Sep 25, 2018 at 9:37 PM T Nguyen via dmarc-discuss <
dmarc-discuss@dmarc.org> wrote:

> Could the syntax error caused by the receiving domain may not have the txt
> record to authorize the reports reception?
>
>
>
> *From:* T Nguyen 
> *Sent:* Tuesday, September 25, 2018 9:30 PM
> *To:* dmarc-discuss@dmarc.org
> *Subject:* Help
>
>
>
> Appreciate any insight to the scenario below:
>
>
>
>1. Can non-smtp ( no mx record ) domain example.com be protected by
>dmarc?  I inherited the below dmarc record for this example.com with
> spf record as “ v=spf1 -all “.  The result was a dmarc syntax error.
>
>
>
> v=DMARC1; p=reject; pct=100; rua=mailto:dmarc-repo...@not-example.com
> ,mailto:repo...@example-not.com
>
>
>
>1. If dmarc cannot be implemented then what is the best way to protect
>this non-smtp domain example.com from being spoofed by mal-intention
>senders that can fool naïve users?  Although with spf record “ v=spf1 -all
>“alone should work for dmarc record to set policy reject all email using
>this non-email domain example.com
>
>
>
> Thank you in advance,
>
> Best,
>
> tn
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Help - updataed

2018-09-25 Thread Roland Turner via dmarc-discuss 
What is a DMARC syntax error? (Which tool gave this? What operation was 
it performing at the time?)


Yes,

   example.com TXT "v=spf1 -all"
   _dmarc.example.com "v=DMARC1; p=reject;"

is a reasonable way to announce that a domain can never be used for 
sending email.


- Roland


On 26/09/18 10:04, T Nguyen via dmarc-discuss wrote:


Hi dmarc-discussing group,

Updated a few things that came to me after sending the previous message.

 1. Can non-smtp ( no mx record ) domain example.com be protected by
dmarc?  I inherited the below dmarc record for this example.com
with  spf record as “ v=spf1 -all “.  The result was a dmarc
syntax error.  It could be that the syntax error caused by the
receiving domain not have the text record to authorize the reports
receptions?

v=DMARC1; p=reject; pct=100; 
rua=mailto:dmarc-repo...@not-example.com,mailto:repo...@example-not.com


 2. If dmarc cannot be implemented then what is the best way to
protect this non-smtp domain example.com from being spoofed by
mal-intention senders that can fool naïve users?  Although with
spf record “ v=spf1 -all “alone should work for dmarc record to
set policy reject all email using this non-email domain
example.com. Just realized that dkim cannot be generated without a
mail server to maintain the private key.

Thank you in advance,

Best,

tn



___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)



___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Help Some Stranger is Using My Email

2012-09-29 Thread Benny Pedersen 

John Levine skrev den 29-09-2012 06:13:


On a bad day, I've gotten 300,000 bounced back messages due to
spammers forging my addresses.  How many are you seeing?


could you be less sakastisk here ?


___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)