subject:"\[mailop\] Is Gmails DMARC check broken\?"

Re: [mailop] Is Gmails DMARC check broken?

2020-06-03 Thread Brandon Long via mailop

Really, the HELO fallback is for bounces where the MAIL FROM argument is
empty, so it falls back to the HELO argument domain.  If your bounces have
a 5322.From that's dmarc'd, you need to either DKIM sign it, or have an SPF
record for your HELO and they match.

Brandon

On Wed, Jun 3, 2020 at 6:48 AM Ken O'Driscoll via mailop 
wrote:

> On Wed, 2020-06-03 at 14:15 +0200, Benoit Panizzon via mailop wrote:
>
> and I guess the domain in the HELO too?
>
>
> the HELO contains the FQDN of the sending machine which is
>
> not the same as the domain of the envelope sender or From: Header.
>
>
> The HELO needing to match anything for DMARC or SPF would be quite new
>
> to me.
>
>
> The FQDN used in the HELO being part of SPF tests is nothing new at all.
>
> If you are using sub-domains of the 5322.From domain in the 5321.From or
> SMTP HELO then those sub-domains need to have their own individual SPF
> records too. For example, if they are single servers then "v=spf1 +a -all"
> is a simple option.
>
> So in the absence of DKIM, even when using an enforcing DMARC policy with
> relaxed SPF alignment ("aspf=r"), a message will fail the DMARC test if
> sub-domains of the 5322.From are used in the 5321.From and/or SMTP HELO and
> they do not have any (compliant) SPF records.
>
> If you could share the specific FQDN values you are using it would greatly
> help in helping you.
>
> Ken.
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Is Gmails DMARC check broken?

2020-06-03 Thread Ken O'Driscoll via mailop

On Wed, 2020-06-03 at 14:15 +0200, Benoit Panizzon via mailop wrote:
> > and I guess the domain in the HELO too?
> 
> the HELO contains the FQDN of the sending machine which is
> not the same as the domain of the envelope sender or From: Header.
> 
> The HELO needing to match anything for DMARC or SPF would be quite new
> to me.

The FQDN used in the HELO being part of SPF tests is nothing new at
all.

If you are using sub-domains of the 5322.From domain in the 5321.From
or SMTP HELO then those sub-domains need to have their own individual
SPF records too. For example, if they are single servers then "v=spf1
+a -all" is a simple option.

So in the absence of DKIM, even when using an enforcing DMARC policy
with relaxed SPF alignment ("aspf=r"), a message will fail the DMARC
test if sub-domains of the 5322.From are used in the 5321.From and/or
SMTP HELO and they do not have any (compliant) SPF records.

If you could share the specific FQDN values you are using it would
greatly help in helping you.

Ken. 
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Is Gmails DMARC check broken?

2020-06-03 Thread Benoit Panizzon via mailop

Hi Laura

> Why is Google applying a strict reject when the policy is p=none?

I think I mentioned that I reverted back to p=none quickly after I saw
such rejects. TTL is 300 :-)

-- 
-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Is Gmails DMARC check broken?

2020-06-03 Thread Benoit Panizzon via mailop

Hi Tim

> and I guess the domain in the HELO too?

the HELO contains the FQDN of the sending machine which is
not the same as the domain of the envelope sender or From: Header.

The HELO needing to match anything for DMARC or SPF would be quite new
to me.

-- 
-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Is Gmails DMARC check broken?

2020-06-02 Thread Kurt Andersen (b) via mailop

Leaving aside the discussion about Gmail specifics (which has been
adequately answered by others)...

On Tue, Jun 2, 2020 at 8:08 AM Benoit Panizzon via mailop 
wrote:

>
> So at the moment I'm only using DMARC with SPF. According to my
> reading on how DMARC works, if no DKIM record is published, a passing
> SPF record is sufficient for authentication.
>

SPF alone is sufficient for DMARC authentication regardless of whether or
not you publish (or use) DKIM records and signatures.

The rule is "SPF or DKIM", not "SPF xor DKIM" or "SPF and DKIM" (in a
boolean logic way) - presuming alignment rules are met in all cases.

--Kurt
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Is Gmails DMARC check broken?

2020-06-02 Thread John R Levine via mailop


In article <947f2235-ae10-47b5-90cd-f096d5648...@wordtothewise.com> you write:


Why is Google applying a strict reject when the policy is p=none?


It is my understanding that Google requires all IPv6 mail to be SPF or
DKIM authenticated with or without DMARC.

The "aspf=s" is probably the reason since the mail servers have names
in three Gaullish subdomains of imp.ch and I doubt those domains are
on the From: line of mail.

Beyond that I'm also wondering if the /32 in the SPF record is too big
and smells too close to +all.  The MTAs are all in the same /64 so put
that in the SPF record.



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Is Gmails DMARC check broken?

2020-06-02 Thread Brandon Long via mailop

Gmail does not require DKIM for DMARC.  Using only SPF works according to
the spec.

If people really want to shoot themselves in the foot by only using SPF
with DMARC, we let them.

If you don't have the dmarc reject, you can see the messages that are
delivered and see the AuthRes headers to see what we thought of the message.
All things being equal, I'd guess it's alignment...

actually, not only is it alignment, but you're sending from a sub-domain,
which for SPF requires that there is an SPF record on the sub-domain (there
is no look at the higher domain like with DMARC).  Google will calculate a
"zone" SPF in this case, but that fallback isn't used for DMARC because
that's not part of the spec.

Brandon

On Tue, Jun 2, 2020 at 8:08 AM Benoit Panizzon via mailop 
wrote:

> Hi Gang
>
> I'm on the way of more widely deploying DMARC and also testing DKIM
> once again. Also on our ISP email service domains.
>
> So at the moment I'm only using DMARC with SPF. According to my
> reading on how DMARC works, if no DKIM record is published, a passing
> SPF record is sufficient for authentication.
>
> But as soon as I set p=reject Gmail is rejecting all emails:
>
> : host aspmx.l.google.com[2a00:1450:4013:c04::1a] said:
> 550-5.7.26 Unauthenticated email from imp.ch is not accepted due to
> domain's 550-5.7.26 DMARC policy. Please contact the administrator of
> imp.ch domain if 550-5.7.26 this was a legitimate mail. Please visit
> 550-5.7.26  https://support.google.com/mail/answer/2451690 to learn
> about
> the 550 5.7.26 DMARC initiative. i4si1617970edq.200 - gsmtp (in reply
> to
> end of DATA command)
>
> imp.ch descriptive text "v=spf1 ip6:2001:4060::/32 ip4:157.161.0.0/16 ip4:
> 217.173.238.128/27 ip6:2a00:ec0:1::/64 -all"
>
> _DMARC.imp.ch descriptive text "v=DMARC1; p=none; rua=mailto:
> dmarc-rep...@imp.ch; ruf=mailto:dmarc-rep...@imp.ch; aspf=s"
> (reverted to p=none)
>
> That email was sent from: 2001:4060:1:1002::139:139 which passes SPF.
>
> Any idea what is going wrong? Is Gmail's DMARC implementation broken
> and REQUIRES DKIM violating RFC?
>
> Mit freundlichen Grüssen
>
> -Benoît Panizzon-
> --
> I m p r o W a r e   A G-Leiter Commerce Kunden
> __
>
> Zurlindenstrasse 29 Tel  +41 61 826 93 00
> <+41%2061%20826%2093%2000>
> CH-4133 PrattelnFax  +41 61 826 93 01
> <+41%2061%20826%2093%2001>
> Schweiz Web  http://www.imp.ch
> __
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Is Gmails DMARC check broken?

2020-06-02 Thread Ken O'Driscoll via mailop

On Tue, 2020-06-02 at 17:36 +0100, Laura Atkins via mailop wrote:
> Why is Google applying a strict reject when the policy is p=none?
> 
> laura 

That was not my understanding of what was happening. I read it that it
happens only when he changes it:

"But as soon as I set p=reject Gmail is rejecting all emails" 
Ken.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Is Gmails DMARC check broken?

2020-06-02 Thread Laura Atkins via mailop

Why is Google applying a strict reject when the policy is p=none?

laura 



> On 2 Jun 2020, at 16:42, Ken O'Driscoll via mailop  wrote:
> 
> On Tue, 2020-06-02 at 17:04 +0200, Benoit Panizzon via mailop wrote:
>> _DMARC.imp.ch descriptive text "v=DMARC1; p=none; rua=mailto: 
>> dmarc-rep...@imp.ch
>> ; ruf=mailto: dmarc-rep...@imp.ch  ; aspf=s"
>> (reverted to p=none)
>> 
>> That email was sent from: 2001:4060:1:1002::139:139 which passes SPF.
>> 
>> Any idea what is going wrong? Is Gmail's DMARC implementation broken
>> 
>> and REQUIRES DKIM violating RFC?
> 
> Without seeing the actual message my guess is that the aspf=s is the problem. 
> This is telling receivers that you want to enforce strict SPF alignment, 
> which means the FQDNs used the SPF tests must match. So, if your 5321.From is 
> using a sub-domain then this will fail a DMARC test in the absence of DKIM.
> 
> Ken.
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

-- 
Having an Email Crisis?  We can help! 800 823-9674 

Laura Atkins
Word to the Wise
la...@wordtothewise.com
(650) 437-0741  

Email Delivery Blog: https://wordtothewise.com/blog 







___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Is Gmails DMARC check broken?

2020-06-02 Thread Tim Bray via mailop


On 02/06/2020 16:42, Ken O'Driscoll via mailop wrote:
Without seeing the actual message my guess is that the *aspf=s* is the 
problem. This is telling receivers that you want to enforce strict SPF 
alignment, which means the FQDNs used the SPF tests must match. So, if 
your 5321.From is using a sub-domain then this will fail a DMARC test 
in the absence of DKIM.


I think this.

and I guess the domain in the HELO too?

And the envelope sender.


We have no problems sending IPv6 email to google.   With DKIM, SPF and 
reverse DNS, it just worked.  I'm not sure what we do right, but it is 
possible to have it working.



--
Tim Bray
Huddersfield, GB
t...@kooky.org

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Is Gmails DMARC check broken?

2020-06-02 Thread Al Iverson via mailop

I had similar trouble sending to Gmail over IPv6 long ago and I just
turned off the IPv6 interface on my server to fix it, because I'm a
typical dumb American. I was never quite sure, do I just not
understand how to specify SPF properly for IPv6 or does Gmail have a
bug in how they process SPF for IPv6.

Kitterman SPF check says:
Mail sent from this IP address: 2001:4060:1:1002::139:139
Mail from (Sender): b...@example.com
Mail checked using this SPF policy: v=spf1 ip6:2001:4060::/32
ip4:157.161.0.0/16 ip4:217.173.238.128/27 ip6:2a00:ec0:1::/64 -all
Results - PASS sender SPF authorized

In your case, I agree that SPF should be passing. I guess double check
that you're actually connecting to Google servers over the correct
interface, I also ran into this before as an issue, too. Maybe it's
not really connecting via 2001:4060:1:1002::139:139 and thus truly is
failing SPF.

I do see many examples of SPF/DMARC (no DKIM) working as
expected...i.e. delivers, not blocked. At work we have so many MTAs
with varying configs that we occasionally would have someone try to
send from a new MTA without DKIM yet configured, but SPF still passes,
and it delivers fine to Gmail. Granted, I haven't tested this in the
past few days, but unless it broke very recently, I feel confident
that they don't block in this way.

Good luck!

Regards,
Al Iverson

On Tue, Jun 2, 2020 at 10:13 AM Benoit Panizzon via mailop
 wrote:
>
> Hi Gang
>
> I'm on the way of more widely deploying DMARC and also testing DKIM
> once again. Also on our ISP email service domains.
>
> So at the moment I'm only using DMARC with SPF. According to my
> reading on how DMARC works, if no DKIM record is published, a passing
> SPF record is sufficient for authentication.
>
> But as soon as I set p=reject Gmail is rejecting all emails:
>
> : host aspmx.l.google.com[2a00:1450:4013:c04::1a] said:
> 550-5.7.26 Unauthenticated email from imp.ch is not accepted due to
> domain's 550-5.7.26 DMARC policy. Please contact the administrator of
> imp.ch domain if 550-5.7.26 this was a legitimate mail. Please visit
> 550-5.7.26  https://support.google.com/mail/answer/2451690 to learn about
> the 550 5.7.26 DMARC initiative. i4si1617970edq.200 - gsmtp (in reply to
> end of DATA command)
>
> imp.ch descriptive text "v=spf1 ip6:2001:4060::/32 ip4:157.161.0.0/16 
> ip4:217.173.238.128/27 ip6:2a00:ec0:1::/64 -all"
>
> _DMARC.imp.ch descriptive text "v=DMARC1; p=none; 
> rua=mailto:dmarc-rep...@imp.ch; ruf=mailto:dmarc-rep...@imp.ch; aspf=s"
> (reverted to p=none)
>
> That email was sent from: 2001:4060:1:1002::139:139 which passes SPF.
>
> Any idea what is going wrong? Is Gmail's DMARC implementation broken
> and REQUIRES DKIM violating RFC?
>
> Mit freundlichen Grüssen
>
> -Benoît Panizzon-
> --
> I m p r o W a r e   A G-Leiter Commerce Kunden
> __
>
> Zurlindenstrasse 29 Tel  +41 61 826 93 00
> CH-4133 PrattelnFax  +41 61 826 93 01
> Schweiz Web  http://www.imp.ch
> __
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

-- 
Al Iverson // Wombatmail // Chicago
Song a day! https://www.wombatmail.com
Deliverability! https://spamresource.com
And DNS Tools too! https://xnnd.com

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Is Gmails DMARC check broken?

2020-06-02 Thread Ken O'Driscoll via mailop

On Tue, 2020-06-02 at 17:04 +0200, Benoit Panizzon via mailop wrote:
> _DMARC.imp.ch descriptive text "v=DMARC1; p=none; rua=mailto: 
> dmarc-rep...@imp.ch; ruf=mailto: dmarc-rep...@imp.ch ;
> aspf=s"(reverted to p=none)
> That email was sent from: 2001:4060:1:1002::139:139 which passes SPF.
> Any idea what is going wrong? Is Gmail's DMARC implementation broken
> and REQUIRES DKIM violating RFC?

Without seeing the actual message my guess is that the aspf=s is the
problem. This is telling receivers that you want to enforce strict SPF
alignment, which means the FQDNs used the SPF tests must match. So, if
your 5321.From is using a sub-domain then this will fail a DMARC test
in the absence of DKIM.

Ken.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Is Gmails DMARC check broken?

2020-06-02 Thread Benoit Panizzon via mailop

Hi Gang

I'm on the way of more widely deploying DMARC and also testing DKIM
once again. Also on our ISP email service domains.

So at the moment I'm only using DMARC with SPF. According to my
reading on how DMARC works, if no DKIM record is published, a passing
SPF record is sufficient for authentication.

But as soon as I set p=reject Gmail is rejecting all emails:

: host aspmx.l.google.com[2a00:1450:4013:c04::1a] said:
550-5.7.26 Unauthenticated email from imp.ch is not accepted due to
domain's 550-5.7.26 DMARC policy. Please contact the administrator of
imp.ch domain if 550-5.7.26 this was a legitimate mail. Please visit
550-5.7.26  https://support.google.com/mail/answer/2451690 to learn about
the 550 5.7.26 DMARC initiative. i4si1617970edq.200 - gsmtp (in reply to
end of DATA command)

imp.ch descriptive text "v=spf1 ip6:2001:4060::/32 ip4:157.161.0.0/16 
ip4:217.173.238.128/27 ip6:2a00:ec0:1::/64 -all"

_DMARC.imp.ch descriptive text "v=DMARC1; p=none; 
rua=mailto:dmarc-rep...@imp.ch; ruf=mailto:dmarc-rep...@imp.ch; aspf=s"
(reverted to p=none)

That email was sent from: 2001:4060:1:1002::139:139 which passes SPF.

Any idea what is going wrong? Is Gmail's DMARC implementation broken
and REQUIRES DKIM violating RFC?

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Is Gmails DMARC check broken?

Re: [mailop] Is Gmails DMARC check broken?

Re: [mailop] Is Gmails DMARC check broken?

Re: [mailop] Is Gmails DMARC check broken?

Re: [mailop] Is Gmails DMARC check broken?

Re: [mailop] Is Gmails DMARC check broken?

Re: [mailop] Is Gmails DMARC check broken?

Re: [mailop] Is Gmails DMARC check broken?

Re: [mailop] Is Gmails DMARC check broken?

Re: [mailop] Is Gmails DMARC check broken?

Re: [mailop] Is Gmails DMARC check broken?

Re: [mailop] Is Gmails DMARC check broken?

[mailop] Is Gmails DMARC check broken?

13 matches

Site Navigation

Mail list logo

Footer information