Re: [mailop] How to allow different domain in envelope and header from? (Is Gmails DMARC check broken?)

2020-06-05 Thread Ralph Seichter via mailop
* Al Iverson via mailop:

> Sorry, Ralph, you're really on the wrong track here.

I'm OK with agreeing to disagree, and the discussion in itself has merit
even if we have different opinions. I did not claim that my method is
suitable for each and every case, however I do know it works nicely for
the scenarios I have had to deal with so far.

-Ralph

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


Re: [mailop] How to allow different domain in envelope and header from? (Is Gmails DMARC check broken?)

2020-06-05 Thread Al Iverson via mailop
On Fri, Jun 5, 2020 at 6:14 PM Brandon Long  wrote:

>> This is silly. Stop pushing this.
>>
>> If every Googler started posting from monksofcool.net then there would
>> grow, over time, a population of people who understood that this was a
>> Googler domain and those people could potentially be a prime spear
>> phishing target.
>
> The biggest hole will be for spear phishing, in fact, where another Googler 
> is the
> target.

YEP. File under bad ideas. Sorry, Ralph, you're really on the wrong track here.

Al


-- 
Al Iverson // Wombatmail // Chicago
Song a day! https://www.wombatmail.com
Deliverability! https://spamresource.com
And DNS Tools too! https://xnnd.com

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


Re: [mailop] How to allow different domain in envelope and header from? (Is Gmails DMARC check broken?)

2020-06-05 Thread Brandon Long via mailop
On Fri, Jun 5, 2020 at 2:25 PM Al Iverson via mailop 
wrote:

> On Fri, Jun 5, 2020 at 2:41 PM Ralph Seichter via mailop
>  wrote:
> >
> > * Brandon Long:
> >
> > > If we leave googlers.com open, then phishers are going to use it to
> > > send messages looking like [...] "secur...@googlers.com" and do what
> > > they do best.
> >
> > One solution to that is not to use "googlers.com", but to use a domain
> > name with no visible ties to a particular company. That's one reason I
> > use the likes of "monksofcool.net", where the only affiliation is with
> > the late and sorely missed Terry Pratchett.
> >
> > A humorous domain name like that gives phishers little incentive to
> > abuse it, and even if they do, who would believe a spoofed message to be
> > sent by some bank, institution or similar?
>
> This is silly. Stop pushing this.
>
> If every Googler started posting from monksofcool.net then there would
> grow, over time, a population of people who understood that this was a
> Googler domain and those people could potentially be a prime spear
> phishing target.
>

The biggest hole will be for spear phishing, in fact, where another Googler
is the
target.

Brandon
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


Re: [mailop] How to allow different domain in envelope and header from? (Is Gmails DMARC check broken?)

2020-06-05 Thread Ralph Seichter via mailop
* Al Iverson via mailop:

> This is silly. Stop pushing this.

You may think it "silly", but that won't stop me from using and
promoting this method. It is a cheap and easy way to avoid existing
problems regarding mailing list use.

> If every Googler started posting from monksofcool.net then there would
> grow, over time, a population of people who understood that this was a
> Googler domain and those people could potentially be a prime spear
> phishing target.

Interesting assumption, but I'd like to see you prove that theory.

> The goal is to close the holes, not just shift them 2 feet to the
> left.

Feel free to design a better solutions than DKIM/SPF/DMARC, then. Until
you do, see above.

-Ralph

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


Re: [mailop] How to allow different domain in envelope and header from? (Is Gmails DMARC check broken?)

2020-06-05 Thread Al Iverson via mailop
On Fri, Jun 5, 2020 at 2:41 PM Ralph Seichter via mailop
 wrote:
>
> * Brandon Long:
>
> > If we leave googlers.com open, then phishers are going to use it to
> > send messages looking like [...] "secur...@googlers.com" and do what
> > they do best.
>
> One solution to that is not to use "googlers.com", but to use a domain
> name with no visible ties to a particular company. That's one reason I
> use the likes of "monksofcool.net", where the only affiliation is with
> the late and sorely missed Terry Pratchett.
>
> A humorous domain name like that gives phishers little incentive to
> abuse it, and even if they do, who would believe a spoofed message to be
> sent by some bank, institution or similar?

This is silly. Stop pushing this.

If every Googler started posting from monksofcool.net then there would
grow, over time, a population of people who understood that this was a
Googler domain and those people could potentially be a prime spear
phishing target.

The goal is to close the holes, not just shift them 2 feet to the left.

Regards,
Al Iverson

-- 
Al Iverson // Wombatmail // Chicago
Song a day! https://www.wombatmail.com
Deliverability! https://spamresource.com
And DNS Tools too! https://xnnd.com

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


Re: [mailop] How to allow different domain in envelope and header from? (Is Gmails DMARC check broken?)

2020-06-05 Thread John Levine via mailop
In article 
,
Tobias Herkula via mailop  wrote:
>It is possible to do depending on the sacrifices you are willing to take:
>
>5321.MailFrom Domain = imp.ch
>5322.From Domain = breitband.ch
>5322.Sender Domain = imp.ch
>
>If you run with that you can set DKIM Domain to imp.ch and still send with 
>breitband.ch in your From. And
>alignment should be fine.

Nope. DMARC looks at the From: header, not the Sender: or anything
else and that's what the SPF or a DKIM identity has to match. Perhaps
you're mis-remembering Sender ID.

-- 
Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


Re: [mailop] How to allow different domain in envelope and header from? (Is Gmails DMARC check broken?)

2020-06-05 Thread Ralph Seichter via mailop
* Brandon Long:

> If we leave googlers.com open, then phishers are going to use it to
> send messages looking like [...] "secur...@googlers.com" and do what
> they do best.

One solution to that is not to use "googlers.com", but to use a domain
name with no visible ties to a particular company. That's one reason I
use the likes of "monksofcool.net", where the only affiliation is with
the late and sorely missed Terry Pratchett.

A humorous domain name like that gives phishers little incentive to
abuse it, and even if they do, who would believe a spoofed message to be
sent by some bank, institution or similar?

> People spoofing your personal domain aren't likely to be trying to
> reap millions of US dollars from your customers.

Maybe one day... :-) I have more of an SMB perspective on these issues,
rather than global corporation.

> Which maybe means only that we're in violent agreement, different
> domains are going to have different issues and make different
> decisions.

Yes, quite so. Understanding the mechanics, possibilities and risks is
what it is all about. I wanted to clarify what works reliably for my
personal requirements (and for my customers).

-Ralph

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


Re: [mailop] How to allow different domain in envelope and header from? (Is Gmails DMARC check broken?)

2020-06-05 Thread Brandon Long via mailop
On Thu, Jun 4, 2020 at 4:16 PM Ralph Seichter via mailop 
wrote:

> * Brandon Long:
>
> >> I recommend using separate domains, or subdomains, for regular
> >> business and for mailing lists [...]
> >
> > Why?
>
> Because something is definitely wron if an email from ra...@mycorp.com
> (an address only used for business) fails SPF or DKIM checks, and I'd
> like to know about that.
>
> Mail from ra...@ml.mycorp.com however, an address only used for mailing
> lists but not for business, can fail these checks due to sub-optimal ML
> software setups or other reasons, and it does not worry me much.
>
> > For one, I'm not sure what you're recommending, either:
> > 1) Host mailing lists on a separate domain
> > 2) Send mail to mailing lists on a separate domain
>
> Both, actually. I host mailing lists aswell, and continuing the example
> above, they use the domain lists.mycorp.com.
>
> > We played with that a bit when we were first rolling out DMARC
> > predecessor, adding a googlers.com domain. Ultimately, we decided
> > that leaving a domain open that can be spoofed defeats the purpose of
> > DMARC.
>
> I cannot speak for others, but a sender address like al...@google.com or
> b...@microsoft.com does not normally signal "the author is more competent
> or important than others" to me. This particular mailing list may be an
> exception, but generally speaking, I don't usually care who somebody
> works for, as long as his/her ML contributions are solid. That's why, in
> the ML context, I don't see spoofing as much of a threat and am content
> with using a (sub)domain with a "p=none" DMARC policy.
>

The problem isn't internal folks posting to mailing lists, the problem is
that anyone can use the
unprotected domain to spoof messages to anyone else.

If we leave googlers.com open, then phishers are going to use it to send
messages
looking like "accou...@googlers.com" or "secur...@googlers.com" and do what
they
do best.  "secur...@lists.google.com" is the same thing.

> everything is a continuum and everyone needs to understand and make
> > the right choices for them.
>
> DMARC and its underlying mechanisms indeed have shortcomings, and my
> recommendation helps to circumvent these. There are mailing lists like
> postfix-users which wisely don't break DKIM sigs, and there are others
> that consider subject prefixes and body footers more important. For me,
> using separate (sub)domains is a working solution, and a cheap one at
> that. Right now I use a private domain, because I am speaking only for
> myself, but if I need to subscribe to a ML where I represent my company,
> a subdomain will do for me.
>

People spoofing your personal domain aren't likely to be trying to reap
millions of US dollars
from your customers.

Which maybe means only that we're in violent agreement, different domains
are going to
have different issues and make different decisions.

Brandon
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


Re: [mailop] How to allow different domain in envelope and header from? (Is Gmails DMARC check broken?)

2020-06-05 Thread Tobias Herkula via mailop
It is possible to do depending on the sacrifices you are willing to take:

5321.MailFrom Domain = imp.ch
5322.From Domain = breitband.ch
5322.Sender Domain = imp.ch

If you run with that you can set DKIM Domain to imp.ch and still send with 
breitband.ch in your From. And alignment should be fine.

But you will get the "via" Tag in compatible MUAs...

Kind regards,

/ Tobias Herkula
Manager Detection Anti Spam
Cyren (Berlin)



From: mailop  on behalf of Benoît Panizzon via 
mailop 
Sent: Thursday, June 4, 2020 12:06
To: mailop@mailop.org
Subject: [mailop] How to allow different domain in envelope and header from? 
(Is Gmails DMARC check broken?)

Hi Gang

Tanks for the various feedback, learning a log :-) I found one issue
caused by domain alignment in DMARC.

We use two domains:

imp.ch (our company)
breitband.ch (our service brand)

Our Support Case System (RT/3) uses a global configured envelope sender:
 but depending on the Queue, a different Header From:
supp...@breitband.ch

Did I get this right? This is not possible anymore when a DMARC
entry is published? The envelope sender domain and From: domain MUST be
aligned and in the case of 'strict' match, be identical and for
'relaxed' match may contain a subdomain?

There is now way to have different envelope and from domains?

I guess many ESP sending newsletters do the same, put their bounce
processor in the envelope from and a customer supplied From: Address
into the header.

--
Mit freundlichen Grüssen

-Benoît Panizzon- @ HomeOffice und normal erreichbar
--
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


Re: [mailop] How to allow different domain in envelope and header from? (Is Gmails DMARC check broken?)

2020-06-05 Thread Benoît Panizzon via mailop
> Using DMARC p=reject without DKIM is broken anyway. You cannot control
> how or where your recipients forward their email (and I promise you
> many of them forward it to Gmail from IP addresses that are not in
> your SPF record).

Yes this is why SRS is being used to re-write the envelope sender...

...which in turn probably breaks DMARC domain alignment I guess.

-- 
Mit freundlichen Grüssen

-Benoît Panizzon- @ HomeOffice und normal erreichbar
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


Re: [mailop] How to allow different domain in envelope and header from? (Is Gmails DMARC check broken?)

2020-06-04 Thread Ralph Seichter via mailop
* Brandon Long:

>> I recommend using separate domains, or subdomains, for regular
>> business and for mailing lists [...]
>
> Why?

Because something is definitely wron if an email from ra...@mycorp.com
(an address only used for business) fails SPF or DKIM checks, and I'd
like to know about that.

Mail from ra...@ml.mycorp.com however, an address only used for mailing
lists but not for business, can fail these checks due to sub-optimal ML
software setups or other reasons, and it does not worry me much.

> For one, I'm not sure what you're recommending, either:
> 1) Host mailing lists on a separate domain
> 2) Send mail to mailing lists on a separate domain

Both, actually. I host mailing lists aswell, and continuing the example
above, they use the domain lists.mycorp.com.

> We played with that a bit when we were first rolling out DMARC
> predecessor, adding a googlers.com domain. Ultimately, we decided
> that leaving a domain open that can be spoofed defeats the purpose of
> DMARC.

I cannot speak for others, but a sender address like al...@google.com or
b...@microsoft.com does not normally signal "the author is more competent
or important than others" to me. This particular mailing list may be an
exception, but generally speaking, I don't usually care who somebody
works for, as long as his/her ML contributions are solid. That's why, in
the ML context, I don't see spoofing as much of a threat and am content
with using a (sub)domain with a "p=none" DMARC policy.

> everything is a continuum and everyone needs to understand and make
> the right choices for them.

DMARC and its underlying mechanisms indeed have shortcomings, and my
recommendation helps to circumvent these. There are mailing lists like
postfix-users which wisely don't break DKIM sigs, and there are others
that consider subject prefixes and body footers more important. For me,
using separate (sub)domains is a working solution, and a cheap one at
that. Right now I use a private domain, because I am speaking only for
myself, but if I need to subscribe to a ML where I represent my company,
a subdomain will do for me.

YMMV, of course, and any person who runs mail servers indeed needs to
understand what they are doing.

-Ralph

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


Re: [mailop] How to allow different domain in envelope and header from? (Is Gmails DMARC check broken?)

2020-06-04 Thread Eric Tykwinski via mailop
Yeah, I agree on the split domain, we’ve had enough trouble with customers 
getting fooled with off domains.  
IE F1SERV.COM  instead of fiserv.com , 
et al…  There’s enough there in the font specification that I know most coders 
still trying to find their own font of choice.

PS. I use Bespin coloring, and Dejavu font.
https://www.fontsquirrel.com/fonts/dejavu-sans-mono 

https://wiki.mozilla.org/Labs/Bespin/UserGuide 


Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Jun 4, 2020, at 6:36 PM, Brandon Long via mailop  wrote:
> 
> 
> 
> On Thu, Jun 4, 2020 at 8:28 AM Ralph Seichter via mailop  > wrote:
> * John Levine via mailop:
> 
> > Mailing lists have only been adding subject tags since the 1980s.
> 
> I do not wish to delve into whether these tags are useful or not, but
> rewriting subjects or bodies invalidate existing DKIM signatures.
> 
> I recommend using separate domains, or subdomains, for regular business
> and for mailing lists, combined with separate DMARC policies, e.g.
> 'quarantine' for example.org  and 'none' for 
> mlists.example.org .
> 
> Why? 
> 
> For one, I'm not sure what you're recommending, either:
> 1) Host mailing lists on a separate domain
> 2) Send mail to mailing lists on a separate domain 
> 
> If you're recommending #1, sure, there are benefits to that, though it's 
> clearly not strictly necessary.  Having a different DMARC policy
> for the mailing list domain isn't that useful since the mailing list sends 
> very few messages "from" the mailing list (slightly more in the case of 
> 5322.From header rewriting, of course).  It's also usually a fairly 
> controlled domain only used for the mailing list software, so making sure the 
> SPF and DKIM are correct is pretty trivial, so the looser DMARC setting 
> doesn't seem to make much sense.
> 
> If you're talking about #2, I probably wouldn't recommend that breakdown, but 
> I do know folks who have split domains for the "product" and the employees, 
> ie yahoo.com  vs yahoo-corp.com , 
> foo.net  vs foo.com , etc.  We played with 
> that a bit when we were first rolling out DMARC predecessor, adding a 
> googlers.com  domain.  Ultimately, we decided that 
> leaving a domain open that can be spoofed defeats the purpose of DMARC.  I 
> mean, it also points to the ultimate problem with DMARC, which is people fall 
> for phishing even from non-exact or even completely wrong domains, so all of 
> this is just about moving the needle and not SOLVING THE PROBLEM ONCE AND FOR 
> ALL, so everything is a continuum and everyone needs to understand and make 
> the right choices for them.
> 
> Brandon
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


Re: [mailop] How to allow different domain in envelope and header from? (Is Gmails DMARC check broken?)

2020-06-04 Thread Brandon Long via mailop
On Thu, Jun 4, 2020 at 8:28 AM Ralph Seichter via mailop 
wrote:

> * John Levine via mailop:
>
> > Mailing lists have only been adding subject tags since the 1980s.
>
> I do not wish to delve into whether these tags are useful or not, but
> rewriting subjects or bodies invalidate existing DKIM signatures.
>
> I recommend using separate domains, or subdomains, for regular business
> and for mailing lists, combined with separate DMARC policies, e.g.
> 'quarantine' for example.org and 'none' for mlists.example.org.
>

Why?

For one, I'm not sure what you're recommending, either:
1) Host mailing lists on a separate domain
2) Send mail to mailing lists on a separate domain

If you're recommending #1, sure, there are benefits to that, though it's
clearly not strictly necessary.  Having a different DMARC policy
for the mailing list domain isn't that useful since the mailing list sends
very few messages "from" the mailing list (slightly more in the case of
5322.From header rewriting, of course).  It's also usually a fairly
controlled domain only used for the mailing list software, so making sure
the SPF and DKIM are correct is pretty trivial, so the looser DMARC setting
doesn't seem to make much sense.

If you're talking about #2, I probably wouldn't recommend that breakdown,
but I do know folks who have split domains for the "product" and the
employees, ie yahoo.com vs yahoo-corp.com, foo.net vs foo.com, etc.  We
played with that a bit when we were first rolling out DMARC predecessor,
adding a googlers.com domain.  Ultimately, we decided that leaving a domain
open that can be spoofed defeats the purpose of DMARC.  I mean, it also
points to the ultimate problem with DMARC, which is people fall for
phishing even from non-exact or even completely wrong domains, so all of
this is just about moving the needle and not SOLVING THE PROBLEM ONCE AND
FOR ALL, so everything is a continuum and everyone needs to understand and
make the right choices for them.

Brandon
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


Re: [mailop] How to allow different domain in envelope and header from? (Is Gmails DMARC check broken?)

2020-06-04 Thread John Levine via mailop
In article <871rmukg4q@wedjat.horus-it.com> you write:
>* John Levine via mailop:
>
>> Mailing lists have only been adding subject tags since the 1980s.
>
>I do not wish to delve into whether these tags are useful or not, but
>rewriting subjects or bodies invalidate existing DKIM signatures.

Yes, we knew that 15 years ago when we published the DKIM specs.

>I recommend using separate domains, or subdomains, for regular business
>and for mailing lists, combined with separate DMARC policies, e.g.
>'quarantine' for example.org and 'none' for mlists.example.org.

I agree that it is not a great idea to mix mailing lists and other
correspondence in the same domain. It is equally a bad idea to mix
mailboxes used by actual people and role addresses that send bulk mail.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


Re: [mailop] How to allow different domain in envelope and header from? (Is Gmails DMARC check broken?)

2020-06-04 Thread Alan Hodgson via mailop
On Thu, 2020-06-04 at 13:36 +0200, Benoît Panizzon via mailop wrote:
> 
> So I guess using only SPF and DMARC with a reject policy will not work
> if the envelope sender and from domain do not align.

Using DMARC p=reject without DKIM is broken anyway. You cannot control
how or where your recipients forward their email (and I promise you many
of them forward it to Gmail from IP addresses that are not in your SPF
record).
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


Re: [mailop] How to allow different domain in envelope and header from? (Is Gmails DMARC check broken?)

2020-06-04 Thread Ralph Seichter via mailop
* John Levine via mailop:

> Mailing lists have only been adding subject tags since the 1980s.

I do not wish to delve into whether these tags are useful or not, but
rewriting subjects or bodies invalidate existing DKIM signatures.

I recommend using separate domains, or subdomains, for regular business
and for mailing lists, combined with separate DMARC policies, e.g.
'quarantine' for example.org and 'none' for mlists.example.org.

-Ralph

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


Re: [mailop] How to allow different domain in envelope and header from? (Is Gmails DMARC check broken?)

2020-06-04 Thread Laura Atkins via mailop


> On 4 Jun 2020, at 12:36, Benoît Panizzon  wrote:
> 
> Hi Laura
> 
>> It is possible, if you are signing with a DKIM d= of the domain in
>> the 5321.from address. 
> 
> We use only SPF at the moment. There are many systems which send emails
> to 'external' recipients with the @imp.ch domain. It would take some
> time to find ways to deploy DKIM in this very mixed environment.
> 
> So I guess using only SPF and DMARC with a reject policy will not work
> if the envelope sender and from domain do not align.

Alignment is the underlying DMARC mechanism. No alignment == no DMARC. 

laura 

-- 
Having an Email Crisis?  We can help! 800 823-9674 

Laura Atkins
Word to the Wise
la...@wordtothewise.com
(650) 437-0741  

Email Delivery Blog: https://wordtothewise.com/blog 







___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


Re: [mailop] How to allow different domain in envelope and header from? (Is Gmails DMARC check broken?)

2020-06-04 Thread John Levine via mailop
In article <20200604112224.gt65...@symphytum.spacehopper.org> you write:
>On 2020/06/04 12:05, Andrew C Aitchison via mailop wrote:
>> On Thu, 4 Jun 2020, Benoît Panizzon via mailop wrote:
>> 
>> [ Not replying to the list as this may be off topic,
>>   but you are welcome to bring it back on list if you wish. ]
>
>Unfortunately this is one of those mailing lists using modern software
>that messes with From headers so that doesn't always go so well :)

Good point.  Mailing lists have only been adding subject tags since the 1980s.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


Re: [mailop] How to allow different domain in envelope and header from? (Is Gmails DMARC check broken?)

2020-06-04 Thread John Levine via mailop
In article <20200604133652.13ea3...@chewbacca.woody.ch> you write:
>So I guess using only SPF and DMARC with a reject policy will not work
>if the envelope sender and from domain do not align.

If you can't reliably sign with a DKIM signature that matches the
From: domain, and you care if your mail gets delivered, you will be
very sad if you publish any DMARC policy other than p=none.

DMARC is not a magic bullet for all mail. It's an anti-phishing tool
designed for senders with specific mail profiles, and a big part of
the profile is being able to authenticate all of your mail in the
limited ways that DMARC handles.




___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


Re: [mailop] How to allow different domain in envelope and header from? (Is Gmails DMARC check broken?)

2020-06-04 Thread Ken O'Driscoll via mailop
On Thu, 2020-06-04 at 12:06 +0200, Benoît Panizzon via mailop wrote:
> Our Support Case System (RT/3) uses a global configured envelope
> sender: but depending on the Queue, a different
> Header From:supp...@breitband.ch

We use RT too and same problem if a queue is whitelabeled to use a
client domain for outsourced support. One kludge is to get the MTA to
re-write the 5321.From (side-wide return-path) based on the 5322.From
(queue From) for outbound and, to keep the bounce processor happy,
reverse it back to the site-wide one for inbound emails. There is
obviously a DNS component too which I'm not getting into.
Ken.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


Re: [mailop] How to allow different domain in envelope and header from? (Is Gmails DMARC check broken?)

2020-06-04 Thread Benoît Panizzon via mailop
Hi Laura

> It is possible, if you are signing with a DKIM d= of the domain in
> the 5321.from address. 

We use only SPF at the moment. There are many systems which send emails
to 'external' recipients with the @imp.ch domain. It would take some
time to find ways to deploy DKIM in this very mixed environment.

So I guess using only SPF and DMARC with a reject policy will not work
if the envelope sender and from domain do not align.

-- 
Mit freundlichen Grüssen

-Benoît Panizzon- @ HomeOffice und normal erreichbar
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


Re: [mailop] How to allow different domain in envelope and header from? (Is Gmails DMARC check broken?)

2020-06-04 Thread Stuart Henderson via mailop
On 2020/06/04 12:05, Andrew C Aitchison via mailop wrote:
> On Thu, 4 Jun 2020, Benoît Panizzon via mailop wrote:
> 
> [ Not replying to the list as this may be off topic,
>   but you are welcome to bring it back on list if you wish. ]

Unfortunately this is one of those mailing lists using modern software
that messes with From headers so that doesn't always go so well :)


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


Re: [mailop] How to allow different domain in envelope and header from? (Is Gmails DMARC check broken?)

2020-06-04 Thread Andrew C Aitchison via mailop

On Thu, 4 Jun 2020, Benoît Panizzon via mailop wrote:

[ Not replying to the list as this may be off topic,
  but you are welcome to bring it back on list if you wish. ]


Hi Gang

Tanks for the various feedback, learning a log :-) I found one issue
caused by domain alignment in DMARC.


Looking at the header of that email I noticed two other things, which
may not be relevant but do not look good:

Received: from thor.imp.ch ([157.161.4.18])
  by chilli.nosignal.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
  (Exim 4.84_2) (envelope-from ) id 1jgmmY-0005st-DM
  for mailop@mailop.org; Thu, 04 Jun 2020 11:07:36 +0100
Received: from chewbacca.woody.ch (wotan0.imp.ch [157.161.4.49])
  by thor.imp.ch (8.15.2/8.13.3) with ESMTPS id 054A6DNL098412
  version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
  for ; Thu, 4 Jun 2020 12:06:13 +0200 (CEST)
  (envelope-from benoit.paniz...@imp.ch)
X-Authentication-Warning: thor.imp.ch: Host wotan0.imp.ch [157.161.4.49]
  claimed to be chewbacca.woody.ch
Date: Thu, 4 Jun 2020 12:06:12 +0200
To: mailop@mailop.org

1. Exim 4.84_2 was released in March 2016.
The current release is 4.94 (warning: that has changes that mean you
*will* need to edit your exim config ...).

2. X-Authentication-Warning: ...
If your servers don't fully trust your machines ...
(I see that chewbacca.woody.ch is IPv6 only).

--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


Re: [mailop] How to allow different domain in envelope and header from? (Is Gmails DMARC check broken?)

2020-06-04 Thread Laura Atkins via mailop


> On 4 Jun 2020, at 11:06, Benoît Panizzon via mailop  wrote:
> 
> Hi Gang
> 
> Tanks for the various feedback, learning a log :-) I found one issue
> caused by domain alignment in DMARC.
> 
> We use two domains:
> 
> imp.ch (our company)
> breitband.ch (our service brand)
> 
> Our Support Case System (RT/3) uses a global configured envelope sender:
>  but depending on the Queue, a different Header From:
> supp...@breitband.ch
> 
> Did I get this right? This is not possible anymore when a DMARC
> entry is published?

It is possible, if you are signing with a DKIM d= of the domain in the 
5321.from address. 

> The envelope sender domain and From: domain MUST be
> aligned and in the case of 'strict' match, be identical and for
> 'relaxed' match may contain a subdomain?

If you are relying solely on SPF authentication for DMARC then the 5321.from 
and the 5322.from need to be in the same domain. If you have a strict match 
designated in your DMARC record then the domains must match exactly. 

> There is now way to have different envelope and from domains?

You can have, and many senders do, have different envelope and from domains. In 
this case they’re either not authenticating the 5322.from with DMARC or they 
are relying on DKIM alignment for DMARC.

> I guess many ESP sending newsletters do the same, put their bounce
> processor in the envelope from and a customer supplied From: Address
> into the header.

There are different approaches ESPs use. But DMARC authentication can happen 
with DKIM *or* SPF passing and aligning. Many ESPs also have the customer use 
their own domain in the 5321.from, and then point that at their bounce 
handlers. 

laura

-- 
Having an Email Crisis?  We can help! 800 823-9674 

Laura Atkins
Word to the Wise
la...@wordtothewise.com
(650) 437-0741  

Email Delivery Blog: https://wordtothewise.com/blog 







___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


[mailop] How to allow different domain in envelope and header from? (Is Gmails DMARC check broken?)

2020-06-04 Thread Benoît Panizzon via mailop
Hi Gang

Tanks for the various feedback, learning a log :-) I found one issue
caused by domain alignment in DMARC.

We use two domains:

imp.ch (our company)
breitband.ch (our service brand)

Our Support Case System (RT/3) uses a global configured envelope sender:
 but depending on the Queue, a different Header From:
supp...@breitband.ch

Did I get this right? This is not possible anymore when a DMARC
entry is published? The envelope sender domain and From: domain MUST be
aligned and in the case of 'strict' match, be identical and for
'relaxed' match may contain a subdomain?

There is now way to have different envelope and from domains?

I guess many ESP sending newsletters do the same, put their bounce
processor in the envelope from and a customer supplied From: Address
into the header.

-- 
Mit freundlichen Grüssen

-Benoît Panizzon- @ HomeOffice und normal erreichbar
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop