[dmarc-discuss] help!

[T Nguyen via dmarc-discuss]

SPF authentication only, no dkim just yet. As domain controller owner we have 
issue with multiple third party application email senders, which fail 
specifically our spf authentication. with too many third party email 
applications that overwhelms our spf records. Since these application email 
providers generate email on behalf of their customers, how can they provide 
domain authentication to the receiving ends?  Appreciate all the insight.

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

[dmarc-discuss] Help

[Ian Breeze via dmarc-discuss]

RemoveEl 9 jul. 2019 9:00 a. m., dmarc-discuss-requ...@dmarc.org escribió:Send dmarc-discuss mailing list submissions to
	dmarc-discuss@dmarc.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://dmarc.org/mailman/listinfo/dmarc-discuss
or, via email, send a message with subject or body 'help' to
	dmarc-discuss-requ...@dmarc.org

You can reach the person managing the list at
	dmarc-discuss-ow...@dmarc.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of dmarc-discuss digest..."


Today's Topics:

   1. Re: DMARC fails for "on behalf of" messages (Alessandro Vesely)


--

Message: 1
Date: Tue, 9 Jul 2019 10:36:55 +0200
From: Alessandro Vesely 
To: dmarc-discuss@dmarc.org
Subject: Re: [dmarc-discuss] DMARC fails for "on behalf of" messages
Message-ID: 
Content-Type: text/plain; charset=utf-8

> you have to try to find out users who are sending emails in a way you
> described, and ask them to change FROM address to the one matching
> sender domain (senderdomain.aaa)


Or change the bounce address while signing.  Having an SPF pass helps in case of DKIM hiccups.


> or you can move to REJECT policy and accept the loss of emails, sent
> by those users.


Or try quarantine with varying pct...


Best
Ale
-- 
> --?
> Aleksandr
> ?
> 07.07.2019, 14:49, "Jay 1985 via dmarc-discuss" :
> 
> we have a scenario where some users send emails "on behalf of"
> other email address. Headers appear like...?
> Sender: us...@senderdomain.aaa ?
> From: us...@fromdomain.bbb ?
> Return-Path: 
> >?
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
> d=senderdomain.aaa;?
> ?
> In gmail both SPF and DKIM authentication passed but this doesn't
> align with the from domain DMARC fails. How to tackle this
> situation. is there any way forward? this is the only issue
> pending to move?forward in reject mode.
> ?


--

Subject: Digest Footer

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)


--

End of dmarc-discuss Digest, Vol 86, Issue 3


___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Help

[Zachary Aab via dmarc-discuss]

The sub/domain should be protected by the DMARC record even without an MX
record, I can't find anything in the RFC to say otherwise and some senders
(mostly marketing, ime) use 5322.from domains with no MX records and a
"Reply-to:" header with a working domain.

>Could the syntax error caused by the receiving domain may not have the txt
record to authorize the reports reception?
It certainly could, of course we can't check up on that without the
domain.  The answer will probably depend on what is actually throwing the
syntax error, is it a DMARC-checking tool on the internet, a receiver's
DMARC filter, or your DNS provider?

It looks like your last clause (rua=) is missing the semicolon at the end,
receivers will care about that to varying degrees but it might be causing
the error you see, again depending on what's giving the error.

My best,
Zack Aab


On Tue, Sep 25, 2018 at 9:37 PM T Nguyen via dmarc-discuss <
dmarc-discuss@dmarc.org> wrote:

> Could the syntax error caused by the receiving domain may not have the txt
> record to authorize the reports reception?
>
>
>
> *From:* T Nguyen 
> *Sent:* Tuesday, September 25, 2018 9:30 PM
> *To:* dmarc-discuss@dmarc.org
> *Subject:* Help
>
>
>
> Appreciate any insight to the scenario below:
>
>
>
>1. Can non-smtp ( no mx record ) domain example.com be protected by
>dmarc?  I inherited the below dmarc record for this example.com with
> spf record as “ v=spf1 -all “.  The result was a dmarc syntax error.
>
>
>
> v=DMARC1; p=reject; pct=100; rua=mailto:dmarc-repo...@not-example.com
> ,mailto:repo...@example-not.com
>
>
>
>1. If dmarc cannot be implemented then what is the best way to protect
>this non-smtp domain example.com from being spoofed by mal-intention
>senders that can fool naïve users?  Although with spf record “ v=spf1 -all
>“alone should work for dmarc record to set policy reject all email using
>this non-email domain example.com
>
>
>
> Thank you in advance,
>
> Best,
>
> tn
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Help

[Al Iverson via dmarc-discuss]

Might be better to have an MX record that points to localhost, because
if you have an A record but no MX, people will just try to connect to
the A record.

Though I've never tried it for domains that lack an MX DNS entry, I do
think overall that DMARC (and SPF) are both good things to configure
for domains that don't send email. I've blogged about it here:
https://www.spamresource.com/2018/06/locking-down-your-unused-domains.html

Cheers,
Al
On Wed, Sep 26, 2018 at 9:52 AM Zachary Aab via dmarc-discuss
 wrote:
>
> The sub/domain should be protected by the DMARC record even without an MX 
> record, I can't find anything in the RFC to say otherwise and some senders 
> (mostly marketing, ime) use 5322.from domains with no MX records and a 
> "Reply-to:" header with a working domain.
>
> >Could the syntax error caused by the receiving domain may not have the txt 
> >record to authorize the reports reception?
> It certainly could, of course we can't check up on that without the domain.  
> The answer will probably depend on what is actually throwing the syntax 
> error, is it a DMARC-checking tool on the internet, a receiver's DMARC 
> filter, or your DNS provider?
>
> It looks like your last clause (rua=) is missing the semicolon at the end, 
> receivers will care about that to varying degrees but it might be causing the 
> error you see, again depending on what's giving the error.
>
> My best,
> Zack Aab
>
>
> On Tue, Sep 25, 2018 at 9:37 PM T Nguyen via dmarc-discuss 
>  wrote:
>>
>> Could the syntax error caused by the receiving domain may not have the txt 
>> record to authorize the reports reception?
>>
>>
>>
>> From: T Nguyen 
>> Sent: Tuesday, September 25, 2018 9:30 PM
>> To: dmarc-discuss@dmarc.org
>> Subject: Help
>>
>>
>>
>> Appreciate any insight to the scenario below:
>>
>>
>>
>> Can non-smtp ( no mx record ) domain example.com be protected by dmarc?  I 
>> inherited the below dmarc record for this example.com with  spf record as “ 
>> v=spf1 -all “.  The result was a dmarc syntax error.
>>
>>
>>
>> v=DMARC1; p=reject; pct=100; 
>> rua=mailto:dmarc-repo...@not-example.com,mailto:repo...@example-not.com
>>
>>
>>
>> If dmarc cannot be implemented then what is the best way to protect this 
>> non-smtp domain example.com from being spoofed by mal-intention senders that 
>> can fool naïve users?  Although with spf record “ v=spf1 -all “alone should 
>> work for dmarc record to set policy reject all email using this non-email 
>> domain example.com
>>
>>
>>
>> Thank you in advance,
>>
>> Best,
>>
>> tn
>>
>> ___
>> dmarc-discuss mailing list
>> dmarc-discuss@dmarc.org
>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>
>> NOTE: Participating in this list means you agree to the DMARC Note Well 
>> terms (http://www.dmarc.org/note_well.html)
>
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well terms 
> (http://www.dmarc.org/note_well.html)



-- 
al iverson // 312-725-0130 // miami
http://www.aliverson.com
http://www.spamresource.com

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Help

[Brandon Long via dmarc-discuss]

Use a null mx instead.
https://tools.ietf.org/html/rfc7505

On Wed, Sep 26, 2018, 8:43 AM Al Iverson via dmarc-discuss <
dmarc-discuss@dmarc.org> wrote:

> Might be better to have an MX record that points to localhost, because
> if you have an A record but no MX, people will just try to connect to
> the A record.
>
> Though I've never tried it for domains that lack an MX DNS entry, I do
> think overall that DMARC (and SPF) are both good things to configure
> for domains that don't send email. I've blogged about it here:
> https://www.spamresource.com/2018/06/locking-down-your-unused-domains.html
>
> Cheers,
> Al
> On Wed, Sep 26, 2018 at 9:52 AM Zachary Aab via dmarc-discuss
>  wrote:
> >
> > The sub/domain should be protected by the DMARC record even without an
> MX record, I can't find anything in the RFC to say otherwise and some
> senders (mostly marketing, ime) use 5322.from domains with no MX records
> and a "Reply-to:" header with a working domain.
> >
> > >Could the syntax error caused by the receiving domain may not have the
> txt record to authorize the reports reception?
> > It certainly could, of course we can't check up on that without the
> domain.  The answer will probably depend on what is actually throwing the
> syntax error, is it a DMARC-checking tool on the internet, a receiver's
> DMARC filter, or your DNS provider?
> >
> > It looks like your last clause (rua=) is missing the semicolon at the
> end, receivers will care about that to varying degrees but it might be
> causing the error you see, again depending on what's giving the error.
> >
> > My best,
> > Zack Aab
> >
> >
> > On Tue, Sep 25, 2018 at 9:37 PM T Nguyen via dmarc-discuss <
> dmarc-discuss@dmarc.org> wrote:
> >>
> >> Could the syntax error caused by the receiving domain may not have the
> txt record to authorize the reports reception?
> >>
> >>
> >>
> >> From: T Nguyen 
> >> Sent: Tuesday, September 25, 2018 9:30 PM
> >> To: dmarc-discuss@dmarc.org
> >> Subject: Help
> >>
> >>
> >>
> >> Appreciate any insight to the scenario below:
> >>
> >>
> >>
> >> Can non-smtp ( no mx record ) domain example.com be protected by
> dmarc?  I inherited the below dmarc record for this example.com with  spf
> record as “ v=spf1 -all “.  The result was a dmarc syntax error.
> >>
> >>
> >>
> >> v=DMARC1; p=reject; pct=100; rua=mailto:dmarc-repo...@not-example.com
> ,mailto:repo...@example-not.com
> >>
> >>
> >>
> >> If dmarc cannot be implemented then what is the best way to protect
> this non-smtp domain example.com from being spoofed by mal-intention
> senders that can fool naïve users?  Although with spf record “ v=spf1 -all
> “alone should work for dmarc record to set policy reject all email using
> this non-email domain example.com
> >>
> >>
> >>
> >> Thank you in advance,
> >>
> >> Best,
> >>
> >> tn
> >>
> >> ___
> >> dmarc-discuss mailing list
> >> dmarc-discuss@dmarc.org
> >> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
> >>
> >> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
> >
> > ___
> > dmarc-discuss mailing list
> > dmarc-discuss@dmarc.org
> > http://www.dmarc.org/mailman/listinfo/dmarc-discuss
> >
> > NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
>
>
>
> --
> al iverson // 312-725-0130 // miami
> http://www.aliverson.com
> http://www.spamresource.com
>
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Help

[John Levine via dmarc-discuss]

In article  
you write:
>Might be better to have an MX record that points to localhost, because
>if you have an A record but no MX, people will just try to connect to
>the A record.

There's an RFC for that:

https://tools.ietf.org/html/rfc7505

R's,
John
-- 
Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Help

[Zachary Aab via dmarc-discuss]

No problem!
It's not strictly necessary, realistically most receivers will likely
handle little things like that just fine.

>Is the semicolon needed for the rua clause t the end for dmarc statement?
I was just spitballing that if the syntax error you were talking about was
from a "DMARC checker" like https://dmarcian.com/dmarc-inspector/ or
similar, that might have been the cause (now that I poke the ones I know of
with google.com, they all send back a thumbs up, however).

My best,
Zack Aab
<http://inboxpros.com/>
*Zack Aab | Sr. Deliverability Strategist*
<http://linkedin.com/in/zachary-aab/>
*Inbox Pros <http://inboxpros.com/> *1995 N Park Place | Suite 300 | Atlanta
O: 678.214.3739 | C: 706-870-1061 | z...@inboxpros.com


On Wed, Sep 26, 2018 at 12:01 PM T Nguyen  wrote:

> Thank you response Zachary, will check to see how syntax error was
> generated.
>
>
>
> Is the semicolon needed for the rua clause t the end for dmarc statement?
> I’ve checked a couple including google.com but did not see any semicolon
> on their dmarc record.
>
>
>
>
>
>
>
> Best,
>
> Tien
>
>
>
> *Cc:* dmarc-discuss@dmarc.org
> *Subject:* Re: [dmarc-discuss] Help
>
>
>
> The sub/domain should be protected by the DMARC record even without an MX
> record, I can't find anything in the RFC to say otherwise and some senders
> (mostly marketing, ime) use 5322.from domains with no MX records and a
> "Reply-to:" header with a working domain.
>
>
>
> >Could the syntax error caused by the receiving domain may not have the
> txt record to authorize the reports reception?
>
> It certainly could, of course we can't check up on that without the
> domain.  The answer will probably depend on what is actually throwing the
> syntax error, is it a DMARC-checking tool on the internet, a receiver's
> DMARC filter, or your DNS provider?
>
>
>
> It looks like your last clause (rua=) is missing the semicolon at the end,
> receivers will care about that to varying degrees but it might be causing
> the error you see, again depending on what's giving the error.
>
>
>
> My best,
>
> Zack Aab
>
>
>
>
>
> On Tue, Sep 25, 2018 at 9:37 PM T Nguyen via dmarc-discuss <
> dmarc-discuss@dmarc.org> wrote:
>
> Could the syntax error caused by the receiving domain may not have the txt
> record to authorize the reports reception?
>
>
>
> *From:* T Nguyen 
> *Sent:* Tuesday, September 25, 2018 9:30 PM
> *To:* dmarc-discuss@dmarc.org
> *Subject:* Help
>
>
>
> Appreciate any insight to the scenario below:
>
>
>
>1. Can non-smtp ( no mx record ) domain example.com
>
> <https://eur04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fexample.com&data=02%7C01%7C%7C783a87fd567f4a4a03d608d623b4fefe%7C84df9e7fe9f640afb435%7C1%7C0%7C636735657605244735&sdata=GDUodLDq9QiI0T1ulO8P5kCyUOLr%2FzSgSXGSgBvVkx4%3D&reserved=0>
>be protected by dmarc?  I inherited the below dmarc record for this
>example.com
>
> <https://eur04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fexample.com&data=02%7C01%7C%7C783a87fd567f4a4a03d608d623b4fefe%7C84df9e7fe9f640afb435%7C1%7C0%7C636735657605244735&sdata=GDUodLDq9QiI0T1ulO8P5kCyUOLr%2FzSgSXGSgBvVkx4%3D&reserved=0>
>with  spf record as “ v=spf1 -all “.  The result was a dmarc syntax error.
>
>
>
> v=DMARC1; p=reject; pct=100; rua=mailto:dmarc-repo...@not-example.com
> ,mailto:repo...@example-not.com
>
>
>
>1. If dmarc cannot be implemented then what is the best way to protect
>this non-smtp domain example.com
>
> <https://eur04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fexample.com&data=02%7C01%7C%7C783a87fd567f4a4a03d608d623b4fefe%7C84df9e7fe9f640afb435%7C1%7C0%7C636735657605244735&sdata=GDUodLDq9QiI0T1ulO8P5kCyUOLr%2FzSgSXGSgBvVkx4%3D&reserved=0>
>from being spoofed by mal-intention senders that can fool naïve users?
>Although with spf record “ v=spf1 -all “alone should work for dmarc record
>to set policy reject all email using this non-email domain example.com
>
> <https://eur04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fexample.com&data=02%7C01%7C%7C783a87fd567f4a4a03d608d623b4fefe%7C84df9e7fe9f640afb435%7C1%7C0%7C636735657605244735&sdata=GDUodLDq9QiI0T1ulO8P5kCyUOLr%2FzSgSXGSgBvVkx4%3D&reserved=0>
>
>
>
> Thank you in advance,
>
> Best,
>
> tn
>
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
> <https://eur04.safelinks.protection.out

Re: [dmarc-discuss] Help

[Zachary Aab via dmarc-discuss]

I can't say without knowing what is actually saying "Syntax Error."  What
is giving you that message, where are you seeing it?  A website, a report,
a filter, a bounce?  Without knowing that, the answer is "maybe."

My best,
Zack Aab

On Wed, Sep 26, 2018 at 3:06 PM T Nguyen  wrote:

> v=DMARC1; p=reject; pct=100; rua=mailto:dmarc-repo...@not-example.com
>
>
>
> For the case above how does dmarc reports receiving domain (
> not-example.com ) authorize example.com to send rua? The report generator
> constructs “ *example.com._report._dmarc.not-example.com
> <http://dmarc.not-example.com>* “ to check the authorization for a dns
> published record from not-example.com, would a “ syntax error “ generate
> then if no such published record found?
>
>
>
> Thanks,
>
> tn
>
>
>
> *From:* Zachary Aab 
> *Sent:* Wednesday, September 26, 2018 12:56 PM
> *To:* t.nguye...@outlook.com
> *Cc:* dmarc-discuss@dmarc.org
> *Subject:* Re: [dmarc-discuss] Help
>
>
>
> No problem!
>
> It's not strictly necessary, realistically most receivers will likely
> handle little things like that just fine.
>
>
>
> >Is the semicolon needed for the rua clause t the end for dmarc statement?
>
> I was just spitballing that if the syntax error you were talking about was
> from a "DMARC checker" like https://dmarcian.com/dmarc-inspector/
> <https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdmarcian.com%2Fdmarc-inspector%2F&data=02%7C01%7C%7C7733ed96804945dea67608d623d10766%7C84df9e7fe9f640afb435%7C1%7C0%7C636735778010009370&sdata=fKOhx%2Bu5%2FGt20BpG4jTHe%2BJt8RWMhHz1UBm6GvasRgE%3D&reserved=0>
> or similar, that might have been the cause (now that I poke the ones I know
> of with google.com
> <https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgoogle.com&data=02%7C01%7C%7C7733ed96804945dea67608d623d10766%7C84df9e7fe9f640afb435%7C1%7C0%7C636735778010009370&sdata=Jx7NurW5pXy3ej7Ox8o65uMy8wNy63FWl3%2BRa%2FINNxc%3D&reserved=0>,
> they all send back a thumbs up, however).
>
>
> My best,
>
> Zack Aab
>
> [image: Image removed by sender.]
> <https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Finboxpros.com%2F&data=02%7C01%7C%7C7733ed96804945dea67608d623d10766%7C84df9e7fe9f640afb435%7C1%7C0%7C636735778010009370&sdata=1DTLnLpGtMFq%2BLXNWqfgzMYazl70uUub0GtzNssfxng%3D&reserved=0>
>
> *Zack Aab** | **Sr. Deliverability Strategist* [image: Image removed by
> sender.]
> <https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Flinkedin.com%2Fin%2Fzachary-aab%2F&data=02%7C01%7C%7C7733ed96804945dea67608d623d10766%7C84df9e7fe9f640afb435%7C1%7C0%7C636735778010009370&sdata=ZWMUHn2EsdqyBvSZGJF23HyI8lSyhSUuPS3%2B3azF9rY%3D&reserved=0>
>
> *Inbox Pros
> <https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Finboxpros.com%2F&data=02%7C01%7C%7C7733ed96804945dea67608d623d10766%7C84df9e7fe9f640afb435%7C1%7C0%7C636735778010009370&sdata=1DTLnLpGtMFq%2BLXNWqfgzMYazl70uUub0GtzNssfxng%3D&reserved=0>
> *1995 N Park Place | Suite 300 | Atlanta
>
> O: 678.214.3739 | C: 706-870-1061 | z...@inboxpros.com
>
>
>
>
>
> On Wed, Sep 26, 2018 at 12:01 PM T Nguyen  wrote:
>
> Thank you response Zachary, will check to see how syntax error was
> generated.
>
>
>
> Is the semicolon needed for the rua clause t the end for dmarc statement?
> I’ve checked a couple including google.com
> <https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgoogle.com&data=02%7C01%7C%7C7733ed96804945dea67608d623d10766%7C84df9e7fe9f640afb435%7C1%7C0%7C636735778010009370&sdata=Jx7NurW5pXy3ej7Ox8o65uMy8wNy63FWl3%2BRa%2FINNxc%3D&reserved=0>
> but did not see any semicolon on their dmarc record.
>
>
>
> *Error! Filename not specified.*
>
>
>
>
>
> Best,
>
> Tien
>
>
>
> *Cc:* dmarc-discuss@dmarc.org
> *Subject:* Re: [dmarc-discuss] Help
>
>
>
> The sub/domain should be protected by the DMARC record even without an MX
> record, I can't find anything in the RFC to say otherwise and some senders
> (mostly marketing, ime) use 5322.from domains with no MX records and a
> "Reply-to:" header with a working domain.
>
>
>
> >Could the syntax error caused by the receiving domain may not have the
> txt record to authorize the reports reception?
>
> It certainly could, of course we can't check up on that without the
> domain.  The answer will probably depend on what is actually throwing the
> syntax error, is it a DMARC-checking tool on the internet, a receiver's
> D

Re: [dmarc-discuss] Help

[Lawrence Finch via dmarc-discuss]

> On Sep 26, 2018, at 5:40 PM, Jonathan Knopp via dmarc-discuss 
>  wrote:
> 
> To play devil's advocate: it doesn't explicitly provide unsubscribe 
> instructions directly in the email itself. A non-savvy user likely wouldn't 
> think to follow the non-obvious info link in the footer. And not all mail 
> clients make use of the list-unsubscribe header.
> 
> That said... why would any such person be on this list in the first place?
> 

Well, It’s clear that there is such a person, otherwise this wouldn’t have come 
up ;)

I had never thought about it until it was asked, then I went and looked for an 
easy answer, and found there wasn’t one. Despite what it sounds like, I’m not 
trying to be obstructionist. This is a very valuable list for me as site 
administrator for a number of lists. But I think a simple “unsubscribe” link 
would good addition.

Peace,
Larry



> On 2018-09-26 02:11 PM, Brandon Long via dmarc-discuss wrote:
>> Wait, folks are on this list who don't know the basics?
>> Ie:
>> List-Unsubscribe: , 
>> > ?subject=unsubscribe>
>> on every message?
>> Also, the link in the footer, 
>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss, has a section that is 
>> the same on all mailman lists:
>> To unsubscribe from dmarc-discuss, get a password reminder, or change your 
>> subscription options enter your subscription email address:
>> So.. yeah.
>> Brandon
>> On Wed, Sep 26, 2018 at 2:04 PM Lawrence Finch via dmarc-discuss 
>> mailto:dmarc-discuss@dmarc.org>> wrote:
>>>On Sep 26, 2018, at 4:44 PM, Bongaerts Contract via dmarc-discuss 
>>> mailto:dmarc-discuss@dmarc.org>> wrote:
>>> 
>>>Hello, Would someone please be kind enough to tell me how to Unsubscribe 
>>> from these emails ?
>>> 
>>>Thank you.
>>> 
>>>Carl BongaertsTel: 416-831-7841
>>> 
>>You raise a really good question. The list violates US federal 
>> regulations by not providing instructions in every message about how to 
>> unsubscribe. And I just went to the Info page for the list, and there were 
>> no instructions to unsubscribe there either.
>>--
>>Larry Finch
>>finc...@portadmiral.org 
>>___
>>dmarc-discuss mailing list
>>dmarc-discuss@dmarc.org 
>>http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>NOTE: Participating in this list means you agree to the DMARC Note Well 
>> terms (http://www.dmarc.org/note_well.html)
>> ___
>> dmarc-discuss mailing list
>> dmarc-discuss@dmarc.org
>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>> NOTE: Participating in this list means you agree to the DMARC Note Well 
>> terms (http://www.dmarc.org/note_well.html)
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
> 
> NOTE: Participating in this list means you agree to the DMARC Note Well terms 
> (http://www.dmarc.org/note_well.html)


___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] help!

[Roland Turner via dmarc-discuss]

Implement DKIM with as many of your third parties as possible. Most have 
now realised that they can do their own key-rotation if they simply 
specify two CNAME records for you to put into your zone file (rather 
than issue you a key, or have you issue them one). Third-party SPF will 
generally not be reliable for DMARC purposes because it will usually 
contain the service-provider's domain name rather than yours and 
therefore not align for DMARC purposes, quite apart from the problem of 
SPF record size that you've already encountered, and the maintenance 
overhead (bear in mind that you'll have to discover service-provider IP 
addresses changes by noticing failures in DMARC feedback, meaning that 
you'll need long term automated monitoring).


- Roland



On 3/12/18 1:32 pm, T Nguyen via dmarc-discuss wrote:


SPF authentication only, no dkim just yet. As domain controller owner 
we have issue with multiple third party application email senders, 
which fail specifically our spf authentication. with too many third 
party email applications that overwhelms our spf records. Since these 
application email providers generate email on behalf of their 
customers, how can they provide domain authentication to the receiving 
ends?  Appreciate all the insight.



___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)



___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] help!

[Zachary Aab via dmarc-discuss]

1. Yep
2. This is whatever domain was in the Header From (5322.from) of the emails
being described in that row.  If any email is sent "from" a subdomain that
doesn't have its own DMARC record (as seen by the receiver), that subdomain
will appear in a   line as well.
3. The Aggregate report .xml has been updated to include the DKIM selector
and also the "scope" of the SPF.  This is telling you what was used for SPF
authentication for these emails: either the HELO/EHLO or the MAIL FROM (in
your example it is the MAIL FROM "mfrom").

My best,
Zack Aab

*Zack Aab | Sr. Deliverability Strategist*

*Inbox Pros  *1995 N Park Place | Suite 300 | Atlanta
O: 678.214.3739 | C: 706-870-1061 | z...@inboxpros.com


On Tue, Jan 8, 2019 at 9:19 AM T Nguyen via dmarc-discuss <
dmarc-discuss@dmarc.org> wrote:

> Hi Dmarc colleague,
>
> Pls help explain the tags below from the aggregate reports.  The scenario
> is as following:
>
> abc.com (main domain with dmarc record)
> xyz.abc.com (subdomain of abc.com with no dmarc record) only has spf
> record including ESP.com(111.222.333.444)
> Questions:
> 1. count tag ( # of same sender IP in the 24 hrs cycle? )
> 2. Is Identifier (header_from) tag always pointing to main domain in this
> case abc.com.
> 3. The scope tag "mfrom" in the auth section tag is it pointing to user
> display domain?  In this scenario xyz.abc.com that passes the spf?
>
> Appreciate your prompt response as always.  We need to understand the
> dmarc reports to start moving to p=quarantine and hopefully to reject soon.
>
>
> 
> ​
> 111.222.333.444​
> 5​
> ​
> none​
> fail​
> fail​
> ​
> ​
> ​
> abc.com​
> ​
> ​
>  ​
>  ​
> ESP.com​
> mfrom​
> pass​
> ​
> ​
> ​
>
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] help!

[Paul Rock via dmarc-discuss]

No, mfrom is the RFC5321 sender (the MAIL FROM: during the SMTP
transaction). The user visible from address is the RFC5322 from header.
Which is why even though it passed SPF, SPF Fails on DMARC evaluation
because 5321 mail from domain of "ESP.com" doesn't align with the 5322 from
header domain of "abc.com"

On Tue, Jan 8, 2019 at 2:27 PM T Nguyen via dmarc-discuss <
dmarc-discuss@dmarc.org> wrote:

> Thanks Jack for your prompt response.
>
> On 3. So this MAIL FROM (mfrom) is the user’s display domain from sender
> email address that DMARC uses to align against spf and dkim.
>
> Best,
> Tnguyen
>
> On Jan 8, 2019, at 9:52 AM, Zachary Aab  wrote:
>
> 1. Yep
> 2. This is whatever domain was in the Header From (5322.from) of the
> emails being described in that row.  If any email is sent "from" a
> subdomain that doesn't have its own DMARC record (as seen by the receiver),
> that subdomain will appear in a   line as well.
> 3. The Aggregate report .xml has been updated to include the DKIM selector
> and also the "scope" of the SPF.  This is telling you what was used for SPF
> authentication for these emails: either the HELO/EHLO or the MAIL FROM (in
> your example it is the MAIL FROM "mfrom").
>
> My best,
> Zack Aab
>
> 
> *Zack Aab | Sr. Deliverability Strategist*
> 
> *Inbox Pros
> 
> *1995 N Park Place | Suite 300 | Atlanta
> O: 678.214.3739 | C: 706-870-1061 | z...@inboxpros.com
>
>
> On Tue, Jan 8, 2019 at 9:19 AM T Nguyen via dmarc-discuss <
> dmarc-discuss@dmarc.org> wrote:
>
>> Hi Dmarc colleague,
>>
>> Pls help explain the tags below from the aggregate reports.  The scenario
>> is as following:
>>
>> abc.com
>> 
>> (main domain with dmarc record)
>> xyz.abc.com
>> 
>> (subdomain of abc.com
>> 
>> with no dmarc record) only has spf record including ESP.com(
>> 111.222.333.444)
>> Questions:
>> 1. count tag ( # of same sender IP in the 24 hrs cycle? )
>> 2. Is Identifier (header_from) tag always pointing to main domain in this
>> case abc.com
>> 
>> .
>> 3. The scope tag "mfrom" in the auth section tag is it pointing to user
>> display domain?  In this scenario xyz.abc.com
>> 
>> that passes the spf?
>>
>> Appreciate your prompt response as always.  We need to understand the
>> dmarc reports to start moving to p=quarantine and hopefully to reject soon.
>>
>>
>> 
>> ​
>> 111.222.333.444​
>> 5​
>> ​
>> none​
>> fail​
>> fail​
>> ​
>> ​
>> ​
>> abc.com
>> 
>> ​
>> ​
>> ​
>>  ​
>>  ​
>> ESP.com​
>>

Re: [dmarc-discuss] help!

[Zachary Aab via dmarc-discuss]

>does DMARC fail even with adfs and adkim implicitly as “r” relaxed?

By adfs do you mean aspf?  If so: yes, "r" aka "relaxed" means that
subdomains of the same parent domain are considered aligned (eg: sub.abc.com
is aligned with othersub.abc.com) and "s" aka "strict" means that the
subdomains must be identical in order to align.  Either way, the
authentication (DKIM or SPF) still must share a parent domain with the
Header From.  The example shows two different parent domains: "esp.com" in
the MAIL FROM and "abc.com" in the Header From, so they are not aligned and
cannot pass DMARC without changing.

My best,
Zack Aab
<http://inboxpros.com/>
*Zack Aab | Sr. Deliverability Strategist*
<http://linkedin.com/in/zachary-aab/>
*Inbox Pros <http://inboxpros.com/> *1995 N Park Place | Suite 300 | Atlanta
O: 678.214.3739 | C: 706-870-1061 | z...@inboxpros.com


On Tue, Jan 8, 2019 at 9:01 PM T Nguyen  wrote:

>
>
> Thanks Paul, does DMARC fail even with adfs and adkim implicitly as “r”
> relaxed?
>
>
>
> *From:* Paul Rock 
> *Sent:* Tuesday, January 8, 2019 2:54 PM
> *To:* T Nguyen 
> *Cc:* Zachary Aab ; dmarc-discuss@dmarc.org
> *Subject:* Re: [dmarc-discuss] help!
>
>
>
> No, mfrom is the RFC5321 sender (the MAIL FROM: during the SMTP
> transaction). The user visible from address is the RFC5322 from header.
> Which is why even though it passed SPF, SPF Fails on DMARC evaluation
> because 5321 mail from domain of "ESP.com" doesn't align with the 5322 from
> header domain of "abc.com
> <https://eur04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fabc.com&data=02%7C01%7C%7C53714943d1584ad059f608d675a30dd2%7C84df9e7fe9f640afb435%7C1%7C0%7C636825740500389841&sdata=I8dqocrF0Jn%2B5GHEEtT%2FwE9hWu9YhgQSSOYSzOsyrec%3D&reserved=0>
> "
>
>
>
> On Tue, Jan 8, 2019 at 2:27 PM T Nguyen via dmarc-discuss <
> dmarc-discuss@dmarc.org> wrote:
>
> Thanks Jack for your prompt response.
>
>
>
> On 3. So this MAIL FROM (mfrom) is the user’s display domain from sender
> email address that DMARC uses to align against spf and dkim.
>
>
>
> Best,
>
> Tnguyen
>
>
> On Jan 8, 2019, at 9:52 AM, Zachary Aab  wrote:
>
> 1. Yep
>
> 2. This is whatever domain was in the Header From (5322.from) of the
> emails being described in that row.  If any email is sent "from" a
> subdomain that doesn't have its own DMARC record (as seen by the receiver),
> that subdomain will appear in a   line as well.
>
> 3. The Aggregate report .xml has been updated to include the DKIM selector
> and also the "scope" of the SPF.  This is telling you what was used for SPF
> authentication for these emails: either the HELO/EHLO or the MAIL FROM (in
> your example it is the MAIL FROM "mfrom").
>
>
> My best,
>
> Zack Aab
>
>
> <https://eur04.safelinks.protection.outlook.com/?url=http%3A%2F%2Finboxpros.com%2F&data=02%7C01%7C%7C53714943d1584ad059f608d675a30dd2%7C84df9e7fe9f640afb435%7C1%7C0%7C636825740500389841&sdata=0CUuhsWHM7eM%2F9qEynkzhkK2aj5Hf%2F5wdFxgw3cUCOY%3D&reserved=0>
>
> *Zack Aab | Sr. Deliverability Strategist
> <https://eur04.safelinks.protection.outlook.com/?url=http%3A%2F%2Finboxpros.com%2F&data=02%7C01%7C%7C53714943d1584ad059f608d675a30dd2%7C84df9e7fe9f640afb435%7C1%7C0%7C636825740500389841&sdata=0CUuhsWHM7eM%2F9qEynkzhkK2aj5Hf%2F5wdFxgw3cUCOY%3D&reserved=0>*
>
> *Inbox Pros 1995 N Park Place | Suite 300 | Atlanta
> <https://eur04.safelinks.protection.outlook.com/?url=http%3A%2F%2Finboxpros.com%2F&data=02%7C01%7C%7C53714943d1584ad059f608d675a30dd2%7C84df9e7fe9f640afb435%7C1%7C0%7C636825740500389841&sdata=0CUuhsWHM7eM%2F9qEynkzhkK2aj5Hf%2F5wdFxgw3cUCOY%3D&reserved=0>*
>
> O: 678.214.3739 | C: 706-870-1061 | *z...@inboxpros.com*
> <https://eur04.safelinks.protection.outlook.com/?url=http%3A%2F%2Finboxpros.com%2F&data=02%7C01%7C%7C53714943d1584ad059f608d675a30dd2%7C84df9e7fe9f640afb435%7C1%7C0%7C636825740500389841&sdata=0CUuhsWHM7eM%2F9qEynkzhkK2aj5Hf%2F5wdFxgw3cUCOY%3D&reserved=0>
>
>
> <https://eur04.safelinks.protection.outlook.com/?url=http%3A%2F%2Finboxpros.com%2F&data=02%7C01%7C%7C53714943d1584ad059f608d675a30dd2%7C84df9e7fe9f640afb435%7C1%7C0%7C636825740500389841&sdata=0CUuhsWHM7eM%2F9qEynkzhkK2aj5Hf%2F5wdFxgw3cUCOY%3D&reserved=0>
>
>
> <https://eur04.safelinks.protection.outlook.com/?url=http%3A%2F%2Finboxpros.com%2F&data=02%7C01%7C%7C53714943d1584ad059f608d675a30dd2%7C84df9e7fe9f640afb435%7C1%7C0%7C636825740500389841&sdata=0CUuhsWHM7eM%2F9qEynkzhkK2aj5Hf%2F5wdFxgw3cUCOY%

Re: [dmarc-discuss] help!

[Paul Rock via dmarc-discuss]

SPF checks run against the actual mfrom domain (or in some cases the
HELO/EHLO domain), in this case it'll check the SPF record for ESP.com,
which passed. SPF doesn't know/care about the from header (and in many
systems, that header hasn't even crossed the wire yet) so it can't do an
SPF check using the from header. That's why DMARC looks at both the
alignment of the SPF domain in question as well as the SPF result. And just
to be clear, the DMARC logic is only looking at the result of a SPF check,
it doesn't try to do one on it's own. Because ESP.com doesn't align with
abc.com, it fails the SPF portion of the DMARC evaluation.

On Wed, Jan 9, 2019 at 11:01 AM T Nguyen  wrote:

> Yes Zack, I meant aSPF relaxed as it's implied without specifically
> indicated in dmarc record.
>
> To clarify ESP.com(111.222.333.444 - source IP) is the external web app
> Email Service Provider so abc.com (MX & DMARC enable) users can send
> email to large internet groups via non-MX subdomain u...@xyz.abc.com. (
> this subdomain xyz.abc.com has spf record with include sender ESP.com -
> note that abc.com only receives rua for the subdomain but no spf record
> for ESP.com).
>
> The second part of the record is very confusing. If the mfrom performs spf
> check against abc.com then it should fail.  spf only passes if checking
> against the subdomain xyz.abc.com
>
> *​*
> *abc.com <http://abc.com>​*
> *​*
> *​*
> * ​*
> * ​*
> *ESP.com​*
> *mfrom​*
> *pass​*
> *​*
> **
>
> --
> *From:* Zachary Aab 
> *Sent:* Wednesday, January 9, 2019 10:25 AM
> *To:* T Nguyen
> *Cc:* Paul Rock; dmarc-discuss@dmarc.org
> *Subject:* Re: [dmarc-discuss] help!
>
> >does DMARC fail even with adfs and adkim implicitly as “r” relaxed?
>
> By adfs do you mean aspf?  If so: yes, "r" aka "relaxed" means that
> subdomains of the same parent domain are considered aligned (eg:
> sub.abc.com
> <https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsub.abc.com&data=02%7C01%7C%7C2b7351512b84409965ef08d67646c3cd%7C84df9e7fe9f640afb435%7C1%7C0%7C636826443633910086&sdata=3gZUoG9PNsFOaOFCk5Dfj5ST7sGUpslJkeY3zcmRA3A%3D&reserved=0>
> is aligned with othersub.abc.com
> <https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fothersub.abc.com&data=02%7C01%7C%7C2b7351512b84409965ef08d67646c3cd%7C84df9e7fe9f640afb435%7C1%7C0%7C636826443633910086&sdata=oVuC1mmsu9tFaoTCg%2BqgR81bFCrDri2oNwhaqmoXSLE%3D&reserved=0>)
> and "s" aka "strict" means that the subdomains must be identical in order
> to align.  Either way, the authentication (DKIM or SPF) still must share a
> parent domain with the Header From.  The example shows two different parent
> domains: "esp.com
> <https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fesp.com&data=02%7C01%7C%7C2b7351512b84409965ef08d67646c3cd%7C84df9e7fe9f640afb435%7C1%7C0%7C636826443633910086&sdata=zNbTLgoOViCnmfVT%2BD6bToEDcoLf%2BnNg7hgapqeRFO0%3D&reserved=0>"
> in the MAIL FROM and "abc.com
> <https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fabc.com&data=02%7C01%7C%7C2b7351512b84409965ef08d67646c3cd%7C84df9e7fe9f640afb435%7C1%7C0%7C636826443633910086&sdata=Ggpq3SLDyTV%2B5f8P9oC46P8q8Jer2Gq4kka464qj5sI%3D&reserved=0>"
> in the Header From, so they are not aligned and cannot pass DMARC without
> changing.
>
> My best,
> Zack Aab
>
> <https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Finboxpros.com%2F&data=02%7C01%7C%7C2b7351512b84409965ef08d67646c3cd%7C84df9e7fe9f640afb435%7C1%7C0%7C636826443633910086&sdata=MZjNxEILv7w5tznxnZ8Nh2cCyIWqLYhXWjCQWV9ec5g%3D&reserved=0>
> *Zack Aab | Sr. Deliverability Strategist*
> <https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flinkedin.com%2Fin%2Fzachary-aab%2F&data=02%7C01%7C%7C2b7351512b84409965ef08d67646c3cd%7C84df9e7fe9f640afb435%7C1%7C0%7C636826443633910086&sdata=c3Qx%2BkNSsDxxsFkJ2l18TQQoayX2zZjV4iZnXEvpyuQ%3D&reserved=0>
> *Inbox Pros
> <https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Finboxpros.com%2F&data=02%7C01%7C%7C2b7351512b84409965ef08d67646c3cd%7C84df9e7fe9f640afb435%7C1%7C0%7C636826443633910086&sdata=MZjNxEILv7w5tznxnZ8Nh2cCyIWqLYhXWjCQWV9ec5g%3D&reserved=0>
> *1995 N Park Place | Suite 300 | Atlanta
> O: 678.214.3739 | C: 706-870-1061 | z...@inboxpros.com
>
>
> On Tue, Jan 8, 2019 at 9:01 PM T Nguyen  wrote:
>
>
>
> Thanks Paul, d

Re: [dmarc-discuss] help!

[Zachary Aab via dmarc-discuss]

That is a mistake a LOT of senders make, and it's often the fault of their
ESP which provided incomplete or even wrong information.
Just to reinforce what Paul said:
The Header From IS NOT checked for SPF.  The MAIL FROM (aka Return-Path aka
Envelope-From) IS checked for SPF.
My best,
Zack Aab
<http://inboxpros.com/>
*Zack Aab | Sr. Deliverability Strategist*
<http://linkedin.com/in/zachary-aab/>
*Inbox Pros <http://inboxpros.com/> *1995 N Park Place | Suite 300 | Atlanta
O: 678.214.3739 | C: 706-870-1061 | z...@inboxpros.com


On Wed, Jan 9, 2019 at 11:09 AM Paul Rock  wrote:

> SPF checks run against the actual mfrom domain (or in some cases the
> HELO/EHLO domain), in this case it'll check the SPF record for ESP.com,
> which passed. SPF doesn't know/care about the from header (and in many
> systems, that header hasn't even crossed the wire yet) so it can't do an
> SPF check using the from header. That's why DMARC looks at both the
> alignment of the SPF domain in question as well as the SPF result. And just
> to be clear, the DMARC logic is only looking at the result of a SPF check,
> it doesn't try to do one on it's own. Because ESP.com doesn't align with
> abc.com, it fails the SPF portion of the DMARC evaluation.
>
> On Wed, Jan 9, 2019 at 11:01 AM T Nguyen  wrote:
>
>> Yes Zack, I meant aSPF relaxed as it's implied without specifically
>> indicated in dmarc record.
>>
>> To clarify ESP.com(111.222.333.444 - source IP) is the external web app
>> Email Service Provider so abc.com (MX & DMARC enable) users can send
>> email to large internet groups via non-MX subdomain u...@xyz.abc.com. (
>> this subdomain xyz.abc.com has spf record with include sender ESP.com -
>> note that abc.com only receives rua for the subdomain but no spf record
>> for ESP.com).
>>
>> The second part of the record is very confusing. If the mfrom performs
>> spf check against abc.com then it should fail.  spf only passes if
>> checking against the subdomain xyz.abc.com
>>
>> *​*
>> *abc.com <http://abc.com>​*
>> *​*
>> *​*
>> * ​*
>> * ​*
>> *ESP.com​*
>> *mfrom​*
>> *    pass​*
>> *​*
>> **
>>
>> --
>> *From:* Zachary Aab 
>> *Sent:* Wednesday, January 9, 2019 10:25 AM
>> *To:* T Nguyen
>> *Cc:* Paul Rock; dmarc-discuss@dmarc.org
>> *Subject:* Re: [dmarc-discuss] help!
>>
>> >does DMARC fail even with adfs and adkim implicitly as “r” relaxed?
>>
>> By adfs do you mean aspf?  If so: yes, "r" aka "relaxed" means that
>> subdomains of the same parent domain are considered aligned (eg:
>> sub.abc.com
>> <https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsub.abc.com&data=02%7C01%7C%7C2b7351512b84409965ef08d67646c3cd%7C84df9e7fe9f640afb435%7C1%7C0%7C636826443633910086&sdata=3gZUoG9PNsFOaOFCk5Dfj5ST7sGUpslJkeY3zcmRA3A%3D&reserved=0>
>> is aligned with othersub.abc.com
>> <https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fothersub.abc.com&data=02%7C01%7C%7C2b7351512b84409965ef08d67646c3cd%7C84df9e7fe9f640afb435%7C1%7C0%7C636826443633910086&sdata=oVuC1mmsu9tFaoTCg%2BqgR81bFCrDri2oNwhaqmoXSLE%3D&reserved=0>)
>> and "s" aka "strict" means that the subdomains must be identical in order
>> to align.  Either way, the authentication (DKIM or SPF) still must share a
>> parent domain with the Header From.  The example shows two different parent
>> domains: "esp.com
>> <https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fesp.com&data=02%7C01%7C%7C2b7351512b84409965ef08d67646c3cd%7C84df9e7fe9f640afb435%7C1%7C0%7C636826443633910086&sdata=zNbTLgoOViCnmfVT%2BD6bToEDcoLf%2BnNg7hgapqeRFO0%3D&reserved=0>"
>> in the MAIL FROM and "abc.com
>> <https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fabc.com&data=02%7C01%7C%7C2b7351512b84409965ef08d67646c3cd%7C84df9e7fe9f640afb435%7C1%7C0%7C636826443633910086&sdata=Ggpq3SLDyTV%2B5f8P9oC46P8q8Jer2Gq4kka464qj5sI%3D&reserved=0>"
>> in the Header From, so they are not aligned and cannot pass DMARC without
>> changing.
>>
>> My best,
>> Zack Aab
>>
>> <https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Finboxpros.com%2F&data=02%7C01%7C%7C2b7351512b84409965ef08d67646c3cd%7C84df9e7fe9f640afb435%7C1%7C0%7C636826443633910086&sdata=MZjNxEILv7w5tznxnZ8Nh2

Re: [dmarc-discuss] help!

[Zachary Aab via dmarc-discuss]

The MAIL FROM is not easily spoofed if there is SPF, that's SPF's role.
The displayed Header From *is* easily spoofed, which is why we have DMARC.
DMARC is based on the displayed Header From that the user sees and matches
that domain to either the DKIM or the MAIL FROM, because if the Header From
is the same as a 'proven' domain (DKIM is proven by DKIM passing and MAIL
FROM is proven by SPF passing), then the displayed Header From is also
proven.
If the displayed Header From is not the same as a proven domain (DKIM or
MAIL FROM), then the DMARC policy (p=__) is consulted to see if the owner
of the domain wants the email quarantined or rejected.
My best,
Zack Aab
<http://inboxpros.com/>
*Zack Aab | Sr. Deliverability Strategist*
<http://linkedin.com/in/zachary-aab/>
*Inbox Pros <http://inboxpros.com/> *1995 N Park Place | Suite 300 | Atlanta
O: 678.214.3739 | C: 706-870-1061 | z...@inboxpros.com


On Wed, Jan 9, 2019 at 11:54 AM T Nguyen  wrote:

> Thank you Zack for the prompt response.
>
> The mfrom, MAIL FROM (aka Return-Path aka Envelope-From), is very easily
> spoofed and we received lots of spoofing email where Envelope-From is not
> aligned with the display "from", where recipients sees the sender email
> address. From my understanding that dmarc alignment is based on domain of
> this display "from", correct?
> --
> *From:* Zachary Aab 
> *Sent:* Wednesday, January 9, 2019 11:30 AM
> *To:* Paul Rock
> *Cc:* T Nguyen; dmarc-discuss@dmarc.org
> *Subject:* Re: [dmarc-discuss] help!
>
> That is a mistake a LOT of senders make, and it's often the fault of their
> ESP which provided incomplete or even wrong information.
> Just to reinforce what Paul said:
> The Header From IS NOT checked for SPF.  The MAIL FROM (aka Return-Path
> aka Envelope-From) IS checked for SPF.
> My best,
> Zack Aab
>
> <https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Finboxpros.com%2F&data=02%7C01%7C%7Cad80133303de41b7bb4d08d6764fe350%7C84df9e7fe9f640afb435%7C1%7C0%7C636826482818792379&sdata=imfvaUHmoK6aSpR%2Bi154kCg9xuwRmM4TEUPYFea0yBg%3D&reserved=0>
> *Zack Aab | Sr. Deliverability Strategist*
> <https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Flinkedin.com%2Fin%2Fzachary-aab%2F&data=02%7C01%7C%7Cad80133303de41b7bb4d08d6764fe350%7C84df9e7fe9f640afb435%7C1%7C0%7C636826482818792379&sdata=2jEytKMVd5OD2qF%2FgolSZTPtKNiTcBLqt95wMCnf%2Fcg%3D&reserved=0>
> *Inbox Pros
> <https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Finboxpros.com%2F&data=02%7C01%7C%7Cad80133303de41b7bb4d08d6764fe350%7C84df9e7fe9f640afb435%7C1%7C0%7C636826482818948621&sdata=NScQ7s4NBocrVp2E3ACUHWMk44fYle6N2xlRfCADxtA%3D&reserved=0>
> *1995 N Park Place | Suite 300 | Atlanta
> O: 678.214.3739 | C: 706-870-1061 | z...@inboxpros.com
>
>
> On Wed, Jan 9, 2019 at 11:09 AM Paul Rock  wrote:
>
> SPF checks run against the actual mfrom domain (or in some cases the
> HELO/EHLO domain), in this case it'll check the SPF record for ESP.com,
> which passed. SPF doesn't know/care about the from header (and in many
> systems, that header hasn't even crossed the wire yet) so it can't do an
> SPF check using the from header. That's why DMARC looks at both the
> alignment of the SPF domain in question as well as the SPF result. And just
> to be clear, the DMARC logic is only looking at the result of a SPF check,
> it doesn't try to do one on it's own. Because ESP.com doesn't align with
> abc.com
> <https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fabc.com&data=02%7C01%7C%7Cad80133303de41b7bb4d08d6764fe350%7C84df9e7fe9f640afb435%7C1%7C0%7C636826482818948621&sdata=w4v%2Fi0VCn5RABPjrsjUd1tVieHJrchaoMFfVE1EcFlo%3D&reserved=0>,
> it fails the SPF portion of the DMARC evaluation.
>
> On Wed, Jan 9, 2019 at 11:01 AM T Nguyen  wrote:
>
> Yes Zack, I meant aSPF relaxed as it's implied without specifically
> indicated in dmarc record.
>
> To clarify ESP.com(111.222.333.444 - source IP) is the external web app
> Email Service Provider so abc.com
> <https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fabc.com&data=02%7C01%7C%7Cad80133303de41b7bb4d08d6764fe350%7C84df9e7fe9f640afb435%7C1%7C0%7C636826482818948621&sdata=w4v%2Fi0VCn5RABPjrsjUd1tVieHJrchaoMFfVE1EcFlo%3D&reserved=0>
> (MX & DMARC enable) users can send email to large internet groups via
> non-MX subdomain u...@xyz.abc.com. ( this subdomain xyz.abc.com
> <https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fxyz.abc.com&data=02%7C01%7C%7Cad80133303de41b7bb4d08d6764fe350%7C84df9e7fe9f640a

Re: [dmarc-discuss] Help - updataed

[Roland Turner via dmarc-discuss]

What is a DMARC syntax error? (Which tool gave this? What operation was 
it performing at the time?)


Yes,

   example.com TXT "v=spf1 -all"
   _dmarc.example.com "v=DMARC1; p=reject;"

is a reasonable way to announce that a domain can never be used for 
sending email.


- Roland


On 26/09/18 10:04, T Nguyen via dmarc-discuss wrote:


Hi dmarc-discussing group,

Updated a few things that came to me after sending the previous message.

 1. Can non-smtp ( no mx record ) domain example.com be protected by
dmarc?  I inherited the below dmarc record for this example.com
with  spf record as “ v=spf1 -all “.  The result was a dmarc
syntax error.  It could be that the syntax error caused by the
receiving domain not have the text record to authorize the reports
receptions?

v=DMARC1; p=reject; pct=100; 
rua=mailto:dmarc-repo...@not-example.com,mailto:repo...@example-not.com


 2. If dmarc cannot be implemented then what is the best way to
protect this non-smtp domain example.com from being spoofed by
mal-intention senders that can fool naïve users?  Although with
spf record “ v=spf1 -all “alone should work for dmarc record to
set policy reject all email using this non-email domain
example.com. Just realized that dkim cannot be generated without a
mail server to maintain the private key.

Thank you in advance,

Best,

tn



___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)



___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

[dmarc-discuss] Help Some Stranger is Using My Email

[theresa]

Help!  Some stranger is using my email address to email out to others spam and junk emails.  I am getting the bounced back emails in my inbox.  I contacted Support at Go Daddy and they told me to create an SPF record.  It did not work.I wonder how a person learned to do this?What can I do to stop them?Theresa Barbero972-939-5484
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Help Some Stranger is Using My Email

[John Levine]

In article 
<20120928174534.686b293d225b331299ec831982b2e377.bc8a0f7fd6@email16.secureserver.net>
 you write:
>-=-=-=-=-=-
>Help!  Some stranger is using my email address to email out to others spam and
>junk emails.  I am getting the bounced back emails in my inbox.  

On a bad day, I've gotten 300,000 bounced back messages due to
spammers forging my addresses.  How many are you seeing?

R's,
John
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Help Some Stranger is Using My Email

[Benny Pedersen]

John Levine skrev den 29-09-2012 06:13:


On a bad day, I've gotten 300,000 bounced back messages due to
spammers forging my addresses.  How many are you seeing?


could you be less sakastisk here ?


___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Help Some Stranger is Using My Email

[Benny Pedersen]

ther...@americanrecruitmentservices.com skrev den 29-09-2012 02:45:

Help! Some stranger is using my email address to email out to others
spam and junk emails. I am getting the bounced back emails in my
inbox.


block the bounce sender ip, not the sender, atleast that way you can 
say if thay want to prevent you blocking your own domain then thay could 
use spf to reject forges, so yes spf helps


the problem is that not all bounce back hosts do use spf :(


I contacted Support at Go Daddy and they told me to create an SPF
record. It did not work.


an you think it would be better without a spf ?


I wonder how a person learned to do this?


maybe the sander do not have to get mailed back becurse of to much 
forged spamming ?



What can I do to stop them?


nothing only reject sender ip that bounce back to you, but then you 
must provide spf first as godaddy say


dont get inspired of gmail and hotmail, gmail use neotral spf, and 
hotmail use softfail, so thay are on the spammers side there :(


if you recieve MAILER-DAEMON mail from another server then this server 
is badly configured, that server accept and later bounce :/




___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Help Some Stranger is Using My Email

[Murray Kucherawy]

There's nothing in the base email protocols that prevents one from sending mail 
as you.  That's what the email authentication field is all about.

SPF doesn't solve the problem by itself.

What needs to happen is general industry adoption of protocols and services 
that implement DMARC and/or protocols like it.

-MSK

From: 
mailto:ther...@americanrecruitmentservices.com>>
Date: Fri, 28 Sep 2012 17:45:34 -0700
To: mailto:dmarc-discuss@dmarc.org>>
Subject: [dmarc-discuss] Help Some Stranger is Using My Email

Help!  Some stranger is using my email address to email out to others spam and 
junk emails.  I am getting the bounced back emails in my inbox.

I contacted Support at Go Daddy and they told me to create an SPF record.  It 
did not work.

I wonder how a person learned to do this?
What can I do to stop them?

Theresa Barbero
972-939-5484
___ dmarc-discuss mailing list 
dmarc-discuss@dmarc.org<mailto:dmarc-discuss@dmarc.org> 
http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this 
list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] Help Some Stranger is Using My Email

[Franck Martin]

Theresa,

I checked, you don't have an SPF record for the domain 
americanrecruitmentservices.com.

I suggest you look for an email/deliverability/IT specialist in your area to 
help you set up your IT operations.

Cheers.

From: Murray Kucherawy mailto:m...@fb.com>>
Date: Sunday, September 30, 2012 9:25 AM
To: "dmarc-discuss@dmarc.org<mailto:dmarc-discuss@dmarc.org>" 
mailto:dmarc-discuss@dmarc.org>>
Subject: Re: [dmarc-discuss] Help Some Stranger is Using My Email

There's nothing in the base email protocols that prevents one from sending mail 
as you.  That's what the email authentication field is all about.

SPF doesn't solve the problem by itself.

What needs to happen is general industry adoption of protocols and services 
that implement DMARC and/or protocols like it.

-MSK

From: 
mailto:ther...@americanrecruitmentservices.com>>
Date: Fri, 28 Sep 2012 17:45:34 -0700
To: mailto:dmarc-discuss@dmarc.org>>
Subject: [dmarc-discuss] Help Some Stranger is Using My Email

Help!  Some stranger is using my email address to email out to others spam and 
junk emails.  I am getting the bounced back emails in my inbox.

I contacted Support at Go Daddy and they told me to create an SPF record.  It 
did not work.

I wonder how a person learned to do this?
What can I do to stop them?

Theresa Barbero
972-939-5484
___ dmarc-discuss mailing list 
dmarc-discuss@dmarc.org<mailto:dmarc-discuss@dmarc.org> 
http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this 
list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)