Re: [dmarc-discuss] Multiple SPF results in report
Based on the data we receive at DMARCanalyzer.com we see that the source for these 'multiple SPF record' reports is mostly Microsoft. About 98.5% of these records are from Microsoft. The other 1.5% is from 126.com/163.com/yeah.net. Regards, Michiel DMARCanalyzer.com 2016-04-04 19:03 GMT+02:00 Lugo, Dave via dmarc-discuss < dmarc-discuss@dmarc.org>: > Thanks, I see a need to familiarize myself with 7208… > > -- > Dave Lugo > Engineer, Comcast Anti-Abuse Technologies > Desk: 215-286-5451 > > > From: Franck Martin <fmar...@linkedin.com> > Date: Monday, April 4, 2016 at 1:00 PM > To: Dave Lugo <dave_l...@cable.comcast.com> > Cc: DMARC Discussion List <dmarc-discuss@dmarc.org> > > Subject: Re: [dmarc-discuss] Multiple SPF results in report > > The question, is what is the RFC5321.mailfrom is empty? The > RFC7208.MAILFROM is never empty. > > https://tools.ietf.org/html/rfc7208#section-2.4 > > SPF verifiers MUST check the "MAIL FROM" identity if a "HELO" check >either has not been performed or has not reached a definitive policy >result by applying the check_host() function to the "MAIL FROM" >identity as the . > >[RFC5321] allows the reverse-path to be null (see Section 4.5.5 in >[RFC5321] <https://tools.ietf.org/html/rfc5321#section-4.5.5>). In this > case, there is no explicit sender mailbox, and >such a message can be assumed to be a notification message from the >mail system itself. When the reverse-path is null, this document >defines the "MAIL FROM" identity to be the mailbox composed of the >local-part "postmaster" and the "HELO" identity (which might or might >not have been checked separately before). > > > > On Mon, Apr 4, 2016 at 8:59 AM, Lugo, Dave via dmarc-discuss < > dmarc-discuss@dmarc.org> wrote: > >> Franck, >> >> What if the RFC7208.MAILFROM is empty? I recall some questions from >> colleagues re dmarc reporting and the spf scope (help or mailfrom). >> >> Thanks, >> >> Dave >> >> -- >> Dave Lugo >> Engineer, Comcast Anti-Abuse Technologies >> Desk: 215-286-5451 >> >> >> From: dmarc-discuss <dmarc-discuss-boun...@dmarc.org> on behalf of >> Franck Martin via dmarc-discuss <dmarc-discuss@dmarc.org> >> Reply-To: Franck Martin <fmar...@linkedin.com> >> Date: Monday, April 4, 2016 at 11:51 AM >> To: Maarten Oelering <maar...@postmastery.net> >> Cc: "n...@graafhenk.nl" <n...@graafhenk.nl>, DMARC Discussion List < >> dmarc-discuss@dmarc.org> >> Subject: Re: [dmarc-discuss] Multiple SPF results in report >> >> It is a bug. >> >> There can only be one SPF per record. Theoretically SPF returns 2 >> results, one for the RFC7208.HELO and another one for RFC7208.MAILFROM, but >> DMARC takes as input only RFC7208.MAILFROM, therefore only this results is >> needed in DMARC reports. >> >> RFC7208.MAILFROM is not RFC5321.MailFrom, there is a subtle but important >> difference here. >> >> On Mon, Apr 4, 2016 at 12:23 AM, Maarten Oelering via dmarc-discuss < >> dmarc-discuss@dmarc.org> wrote: >> >>> Do you mean that in the XML you see 6 elements in one >>> element? Or do you mean you see 6 different domains in >>> the your reports? >>> >>> Maarten Oelering >>> Postmastery >>> >>> On 4 apr. 2016, at 09:05, Nick via dmarc-discuss < >>> dmarc-discuss@dmarc.org> wrote: >>> >>> I received a DMARC report with multiple SPF results. I wonder how this >>> is possible as I only have one SPF record for my domain defined. In one >>> report I got 6 SPF results. >>> >>> The only thing I could think of is some automatic forwarding service >>> changing the return path header. Are there more usecases possible how this >>> can happen? >>> >>> Thanks >>> Nick >>> ___ >>> dmarc-discuss mailing list >>> dmarc-discuss@dmarc.org >>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss >>> >>> NOTE: Participating in this list means you agree to the DMARC Note Well >>> terms (http://www.dmarc.org/note_well.html) >>> >>> >>> >>> ___ >>> dmarc-discuss mailing list >>> dmarc-discuss@dmarc.org >>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss >>> >>> NOTE: Participating in this list means yo
Re: [dmarc-discuss] Multiple SPF results in report
The question, is what is the RFC5321.mailfrom is empty? The RFC7208.MAILFROM is never empty. https://tools.ietf.org/html/rfc7208#section-2.4 SPF verifiers MUST check the "MAIL FROM" identity if a "HELO" check either has not been performed or has not reached a definitive policy result by applying the check_host() function to the "MAIL FROM" identity as the . [RFC5321] allows the reverse-path to be null (see Section 4.5.5 in [RFC5321] <https://tools.ietf.org/html/rfc5321#section-4.5.5>). In this case, there is no explicit sender mailbox, and such a message can be assumed to be a notification message from the mail system itself. When the reverse-path is null, this document defines the "MAIL FROM" identity to be the mailbox composed of the local-part "postmaster" and the "HELO" identity (which might or might not have been checked separately before). On Mon, Apr 4, 2016 at 8:59 AM, Lugo, Dave via dmarc-discuss < dmarc-discuss@dmarc.org> wrote: > Franck, > > What if the RFC7208.MAILFROM is empty? I recall some questions from > colleagues re dmarc reporting and the spf scope (help or mailfrom). > > Thanks, > > Dave > > -- > Dave Lugo > Engineer, Comcast Anti-Abuse Technologies > Desk: 215-286-5451 > > > From: dmarc-discuss <dmarc-discuss-boun...@dmarc.org> on behalf of Franck > Martin via dmarc-discuss <dmarc-discuss@dmarc.org> > Reply-To: Franck Martin <fmar...@linkedin.com> > Date: Monday, April 4, 2016 at 11:51 AM > To: Maarten Oelering <maar...@postmastery.net> > Cc: "n...@graafhenk.nl" <n...@graafhenk.nl>, DMARC Discussion List < > dmarc-discuss@dmarc.org> > Subject: Re: [dmarc-discuss] Multiple SPF results in report > > It is a bug. > > There can only be one SPF per record. Theoretically SPF returns 2 results, > one for the RFC7208.HELO and another one for RFC7208.MAILFROM, but DMARC > takes as input only RFC7208.MAILFROM, therefore only this results is needed > in DMARC reports. > > RFC7208.MAILFROM is not RFC5321.MailFrom, there is a subtle but important > difference here. > > On Mon, Apr 4, 2016 at 12:23 AM, Maarten Oelering via dmarc-discuss < > dmarc-discuss@dmarc.org> wrote: > >> Do you mean that in the XML you see 6 elements in one >> element? Or do you mean you see 6 different domains in >> the your reports? >> >> Maarten Oelering >> Postmastery >> >> On 4 apr. 2016, at 09:05, Nick via dmarc-discuss <dmarc-discuss@dmarc.org> >> wrote: >> >> I received a DMARC report with multiple SPF results. I wonder how this is >> possible as I only have one SPF record for my domain defined. In one report >> I got 6 SPF results. >> >> The only thing I could think of is some automatic forwarding service >> changing the return path header. Are there more usecases possible how this >> can happen? >> >> Thanks >> Nick >> ___ >> dmarc-discuss mailing list >> dmarc-discuss@dmarc.org >> http://www.dmarc.org/mailman/listinfo/dmarc-discuss >> >> NOTE: Participating in this list means you agree to the DMARC Note Well >> terms (http://www.dmarc.org/note_well.html) >> >> >> >> ___ >> dmarc-discuss mailing list >> dmarc-discuss@dmarc.org >> http://www.dmarc.org/mailman/listinfo/dmarc-discuss >> >> NOTE: Participating in this list means you agree to the DMARC Note Well >> terms (http://www.dmarc.org/note_well.html) >> > > > ___ > dmarc-discuss mailing list > dmarc-discuss@dmarc.org > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) > ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] Multiple SPF results in report
Franck, What if the RFC7208.MAILFROM is empty? I recall some questions from colleagues re dmarc reporting and the spf scope (help or mailfrom). Thanks, Dave -- Dave Lugo Engineer, Comcast Anti-Abuse Technologies Desk: 215-286-5451 From: dmarc-discuss <dmarc-discuss-boun...@dmarc.org<mailto:dmarc-discuss-boun...@dmarc.org>> on behalf of Franck Martin via dmarc-discuss <dmarc-discuss@dmarc.org<mailto:dmarc-discuss@dmarc.org>> Reply-To: Franck Martin <fmar...@linkedin.com<mailto:fmar...@linkedin.com>> Date: Monday, April 4, 2016 at 11:51 AM To: Maarten Oelering <maar...@postmastery.net<mailto:maar...@postmastery.net>> Cc: "n...@graafhenk.nl<mailto:n...@graafhenk.nl>" <n...@graafhenk.nl<mailto:n...@graafhenk.nl>>, DMARC Discussion List <dmarc-discuss@dmarc.org<mailto:dmarc-discuss@dmarc.org>> Subject: Re: [dmarc-discuss] Multiple SPF results in report It is a bug. There can only be one SPF per record. Theoretically SPF returns 2 results, one for the RFC7208.HELO and another one for RFC7208.MAILFROM, but DMARC takes as input only RFC7208.MAILFROM, therefore only this results is needed in DMARC reports. RFC7208.MAILFROM is not RFC5321.MailFrom, there is a subtle but important difference here. On Mon, Apr 4, 2016 at 12:23 AM, Maarten Oelering via dmarc-discuss <dmarc-discuss@dmarc.org<mailto:dmarc-discuss@dmarc.org>> wrote: Do you mean that in the XML you see 6 elements in one element? Or do you mean you see 6 different domains in the your reports? Maarten Oelering Postmastery On 4 apr. 2016, at 09:05, Nick via dmarc-discuss <dmarc-discuss@dmarc.org<mailto:dmarc-discuss@dmarc.org>> wrote: I received a DMARC report with multiple SPF results. I wonder how this is possible as I only have one SPF record for my domain defined. In one report I got 6 SPF results. The only thing I could think of is some automatic forwarding service changing the return path header. Are there more usecases possible how this can happen? Thanks Nick ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org<mailto:dmarc-discuss@dmarc.org> http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html) ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org<mailto:dmarc-discuss@dmarc.org> http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html) ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] Multiple SPF results in report
It is a bug. There can only be one SPF per record. Theoretically SPF returns 2 results, one for the RFC7208.HELO and another one for RFC7208.MAILFROM, but DMARC takes as input only RFC7208.MAILFROM, therefore only this results is needed in DMARC reports. RFC7208.MAILFROM is not RFC5321.MailFrom, there is a subtle but important difference here. On Mon, Apr 4, 2016 at 12:23 AM, Maarten Oelering via dmarc-discuss < dmarc-discuss@dmarc.org> wrote: > Do you mean that in the XML you see 6 elements in one > element? Or do you mean you see 6 different domains in the your > reports? > > Maarten Oelering > Postmastery > > On 4 apr. 2016, at 09:05, Nick via dmarc-discuss> wrote: > > I received a DMARC report with multiple SPF results. I wonder how this is > possible as I only have one SPF record for my domain defined. In one report > I got 6 SPF results. > > The only thing I could think of is some automatic forwarding service > changing the return path header. Are there more usecases possible how this > can happen? > > Thanks > Nick > ___ > dmarc-discuss mailing list > dmarc-discuss@dmarc.org > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) > > > > ___ > dmarc-discuss mailing list > dmarc-discuss@dmarc.org > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) > ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] Multiple SPF results in report
Do you mean that in the XML you see 6 elements in one element? Or do you mean you see 6 different domains in the your reports? Maarten Oelering Postmastery > On 4 apr. 2016, at 09:05, Nick via dmarc-discuss> wrote: > > I received a DMARC report with multiple SPF results. I wonder how this is > possible as I only have one SPF record for my domain defined. In one report I > got 6 SPF results. > > The only thing I could think of is some automatic forwarding service changing > the return path header. Are there more usecases possible how this can happen? > > Thanks > Nick > ___ > dmarc-discuss mailing list > dmarc-discuss@dmarc.org > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well terms > (http://www.dmarc.org/note_well.html) ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
[dmarc-discuss] Multiple SPF results in report
I received a DMARC report with multiple SPF results. I wonder how this is possible as I only have one SPF record for my domain defined. In one report I got 6 SPF results. The only thing I could think of is some automatic forwarding service changing the return path header. Are there more usecases possible how this can happen? Thanks Nick ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)